File perl-Authen-SASL-CVE-2025-40918.patch of Package perl-Authen-SASL

From 82e12b25963bd9d156a9006c9a0929f459b8536a Mon Sep 17 00:00:00 2001
From: Robert Rothenberg <rrwo@cpan.org>
Date: Thu, 10 Jul 2025 21:05:29 +0100
Subject: [PATCH 1/3] Generate cnonce and nonce from system randomness

This fixes CVE-2025-40918.
---
 lib/Authen/SASL/Perl/DIGEST_MD5.pm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
index f089849..44d2109 100644
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5;
 use strict;
 use warnings;
 use vars qw(@ISA $CNONCE $NONCE);
+use Crypt::URandom qw(urandom);
 use Digest::MD5 qw(md5_hex md5);
 use Digest::HMAC_MD5 qw(hmac_md5);
 
@@ -201,7 +202,7 @@ sub server_start {
 
   $self->{need_step} = 1;
   $self->{error}     = undef;
-  $self->{nonce}     = md5_hex($NONCE || join (":", $$, time, rand));
+  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
 
   $self->init_sec_layer;
 
@@ -260,7 +261,7 @@ sub client_step {   # $self, $server_sasl_credentials
 
   my %response = (
     nonce        => $sparams{'nonce'},
-    cnonce       => md5_hex($CNONCE || join (":", $$, time, rand)),
+    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
     'digest-uri' => $self->service . '/' . $self->host,
     # calc how often the server nonce has been seen; server expects "00000001"
     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),

From 1284e47c1715ad7d0a8dc07d72d9524ca0da3f17 Mon Sep 17 00:00:00 2001
From: Robert Rothenberg <rrwo@cpan.org>
Date: Wed, 16 Jul 2025 19:59:42 +0100
Subject: [PATCH 2/3] Add whitespace before conditional operator

---
 lib/Authen/SASL/Perl/DIGEST_MD5.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
index 44d2109..8c4a67a 100644
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
@@ -202,7 +202,7 @@ sub server_start {
 
   $self->{need_step} = 1;
   $self->{error}     = undef;
-  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
+  $self->{nonce}     = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16));
 
   $self->init_sec_layer;
 
@@ -261,7 +261,7 @@ sub client_step {   # $self, $server_sasl_credentials
 
   my %response = (
     nonce        => $sparams{'nonce'},
-    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
+    cnonce       => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)),
     'digest-uri' => $self->service . '/' . $self->host,
     # calc how often the server nonce has been seen; server expects "00000001"
     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),


openSUSE Build Service is sponsored by