pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2026Q2] pkgsrc/security/p5-Bytes-Random-Secure-Tiny



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sun Jun 28 18:26:39 UTC 2026

Modified Files:
        pkgsrc/security/p5-Bytes-Random-Secure-Tiny [pkgsrc-2026Q2]: Makefile
            distinfo
Added Files:
        pkgsrc/security/p5-Bytes-Random-Secure-Tiny/patches [pkgsrc-2026Q2]:
            patch-lib_Bytes_Random_Secure_Tiny.pm

Log Message:
Pullup ticket #7148 - requested by taca
p5-Bytes-Random-Secure-Tiny: security fix

Revisions pulled up:
- security/p5-Bytes-Random-Secure-Tiny/Makefile                 1.3
- security/p5-Bytes-Random-Secure-Tiny/distinfo                 1.2
- security/p5-Bytes-Random-Secure-Tiny/patches/patch-lib_Bytes_Random_Secure_Tiny.pm 1.1

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Fri Jun 26 17:04:19 UTC 2026

   Modified Files:
        pkgsrc/security/p5-Bytes-Random-Secure-Tiny: Makefile distinfo
   Added Files:
        pkgsrc/security/p5-Bytes-Random-Secure-Tiny/patches:
            patch-lib_Bytes_Random_Secure_Tiny.pm

   Log Message:
   p5-Bytes-Random-Secure-Tiny: fix CVE-2026-11702

   Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.8.1 \
    pkgsrc/security/p5-Bytes-Random-Secure-Tiny/Makefile
cvs rdiff -u -r1.1 -r1.1.10.1 \
    pkgsrc/security/p5-Bytes-Random-Secure-Tiny/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/security/p5-Bytes-Random-Secure-Tiny/patches/patch-lib_Bytes_Random_Secure_Tiny.pm

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/p5-Bytes-Random-Secure-Tiny/Makefile
diff -u pkgsrc/security/p5-Bytes-Random-Secure-Tiny/Makefile:1.2 pkgsrc/security/p5-Bytes-Random-Secure-Tiny/Makefile:1.2.8.1
--- pkgsrc/security/p5-Bytes-Random-Secure-Tiny/Makefile:1.2    Fri Jul  4 08:47:56 2025
+++ pkgsrc/security/p5-Bytes-Random-Secure-Tiny/Makefile        Sun Jun 28 18:26:39 2026
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2025/07/04 08:47:56 wiz Exp $
+# $NetBSD: Makefile,v 1.2.8.1 2026/06/28 18:26:39 bsiegert Exp $
 
 DISTNAME=      Bytes-Random-Secure-Tiny-1.011
 PKGNAME=       p5-${DISTNAME}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    security perl5
 MASTER_SITES=  ${MASTER_SITE_PERL_CPAN:=Bytes/}
 

Index: pkgsrc/security/p5-Bytes-Random-Secure-Tiny/distinfo
diff -u pkgsrc/security/p5-Bytes-Random-Secure-Tiny/distinfo:1.1 pkgsrc/security/p5-Bytes-Random-Secure-Tiny/distinfo:1.1.10.1
--- pkgsrc/security/p5-Bytes-Random-Secure-Tiny/distinfo:1.1    Tue Apr  1 16:59:51 2025
+++ pkgsrc/security/p5-Bytes-Random-Secure-Tiny/distinfo        Sun Jun 28 18:26:39 2026
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.1 2025/04/01 16:59:51 abs Exp $
+$NetBSD: distinfo,v 1.1.10.1 2026/06/28 18:26:39 bsiegert Exp $
 
 BLAKE2s (Bytes-Random-Secure-Tiny-1.011.tar.gz) = 55f73a924691060a957a7e0457724d0fef8d68f4b03b37e9b5139d67dd5c7bdc
 SHA512 (Bytes-Random-Secure-Tiny-1.011.tar.gz) = b04b765af3d4ecd337571b53ff02d9efc54a08a598ece5df82357c8e364fbeff0f2a97561916a0e362f5e89e83939cdd10c3a3b3288e2952324fa57490d640be
 Size (Bytes-Random-Secure-Tiny-1.011.tar.gz) = 28598 bytes
+SHA1 (patch-lib_Bytes_Random_Secure_Tiny.pm) = d88b90ff66add7a2204b6919eb0b036380a98b98

Added files:

Index: pkgsrc/security/p5-Bytes-Random-Secure-Tiny/patches/patch-lib_Bytes_Random_Secure_Tiny.pm
diff -u /dev/null pkgsrc/security/p5-Bytes-Random-Secure-Tiny/patches/patch-lib_Bytes_Random_Secure_Tiny.pm:1.1.2.2
--- /dev/null   Sun Jun 28 18:26:39 2026
+++ pkgsrc/security/p5-Bytes-Random-Secure-Tiny/patches/patch-lib_Bytes_Random_Secure_Tiny.pm   Sun Jun 28 18:26:39 2026
@@ -0,0 +1,62 @@
+$NetBSD: patch-lib_Bytes_Random_Secure_Tiny.pm,v 1.1.2.2 2026/06/28 18:26:39 bsiegert Exp $
+
+Fix CVE-2026-11702.
+https://security.metacpan.org/patches/B/Bytes-Random-Secure-Tiny/1.011/CVE-2026-11702-r1.patch
+
+--- lib/Bytes/Random/Secure/Tiny.pm.orig       2020-09-25 17:56:00.000000000 +0000
++++ lib/Bytes/Random/Secure/Tiny.pm
+@@ -310,18 +310,46 @@ sub new {
+     $bits = delete $args{bits} if exists $args{bits};
+     croak "Number of bits must be 64 <= n <= 8192, and a multipe in 2^n: $bits"
+         if $bits < 64 || $bits > 8192 || !_ispowerof2($bits);
+-    return Hash::Util::lock_hashref bless {
+-        bits => $bits,
+-        _rng => Math::Random::ISAAC::Embedded->new(do{
+-            my $source = Crypt::Random::Seed::Embedded->new(%args)
+-                or croak 'Could not get a seed source.';
+-            $source->random_values($bits/32);
+-        }),
++    # Fork safety: the engine + the PID that seeded it live in a nested hash.
++    # lock_hashref (below) makes the top-level _state *reference* read-only, but
++    # the hash it points to stays mutable, so a forked child can swap in a fresh
++    # engine and record its own PID without unlocking. _seed_args/bits are kept
++    # so the child can re-seed identically.
++    $self = bless {
++        bits       => $bits,
++        _seed_args => {%args},
++        _state     => { pid => $$ },
+     }, $class;
++    $self->{_state}{rng} = $self->_seed_rng;
++    return Hash::Util::lock_hashref $self;
+ }
+ 
++sub _seed_rng {
++    my $self = shift;
++    return Math::Random::ISAAC::Embedded->new(do{
++        my $source = Crypt::Random::Seed::Embedded->new(%{$self->{_seed_args}})
++            or croak 'Could not get a seed source.';
++        $source->random_values($self->{bits}/32);
++    });
++}
++
+ sub _ispowerof2 {my $n = shift; return ($n >= 0) && (($n & ($n-1)) ==0 )}
+-sub irand {shift->{'_rng'}->irand}
++
++# All random output (bytes, bytes_hex, string_from, shuffle) funnels through
++# irand, so the fork guard lives here once. If the PID changed, this process is
++# a fork() child that inherited the parent's ISAAC state; re-seed from fresh
++# entropy and record the new PID so the re-seed happens at most once per fork.
++# Reading $$ is a cached variable (no syscall). Threads are out of scope (a new
++# thread keeps $$) and remain caller-responsibility per the POD.
++sub irand {
++    my $self  = shift;
++    my $state = $self->{'_state'};
++    if ($state->{pid} != $$) {
++        $state->{rng} = $self->_seed_rng;
++        $state->{pid} = $$;
++    }
++    return $state->{rng}->irand;
++}
+ sub bytes_hex {unpack 'H*', shift->bytes(shift)} # lc Hex digits only, no '0x'
+ 
+ sub bytes {



Home | Main Index | Thread Index | Old Index