[rpms/perl-Crypt-DSA] epel9: Fix key material reuse for multiple signing events (CVE-2026-12205, CWE-323)

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/perl-Crypt-DSA] epel9: Fix key material reuse for multiple signing events (CVE-2026-12205, CWE-323)
@ 2026-06-15 11:36 Paul Howarth
  0 siblings, 0 replies; only message in thread
From: Paul Howarth @ 2026-06-15 11:36 UTC (permalink / raw)
  To: git-commits

A new commit has been pushed.

Repo   : rpms/perl-Crypt-DSA
Branch : epel9
Commit : 2df3c51a0ebc662250d7d996641d9331407a069f
Author : Paul Howarth <paul@city-fan.org>
Date   : 2026-06-15T12:31:45+01:00
Stats  : +86/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/perl-Crypt-DSA/c/2df3c51a0ebc662250d7d996641d9331407a069f?branch=epel9

Log:
Fix key material reuse for multiple signing events (CVE-2026-12205, CWE-323)

---
diff --git a/Crypt-DSA-1.17-CVE-2026-12205.patch b/Crypt-DSA-1.17-CVE-2026-12205.patch
new file mode 100644
index 0000000..5a28054
--- /dev/null
+++ b/Crypt-DSA-1.17-CVE-2026-12205.patch
@@ -0,0 +1,78 @@
+--- lib/Crypt/DSA.pm
++++ lib/Crypt/DSA.pm
+@@ -44,8 +44,11 @@ sub sign {
+     croak "Data too large for key size"
+         if $dlen > $i || $dlen > 50;
+ 
+-    $dsa->_sign_setup($key)
+-        unless $key->kinv && $key->r;
++    # SECURITY: a DSA nonce (k) must NEVER be reused across signatures;
++    # two signatures sharing k disclose the private key. Always generate
++    # fresh r/kinv per signature -- do NOT reuse any values cached on the
++    # Key object from a previous sign().
++    $dsa->_sign_setup($key);
+ 
+     my $m = bin2mp($dgst);
+     my $xr = ($key->priv_key * $key->r) % $key->q;
+--- MANIFEST
++++ MANIFEST
+@@ -18,6 +18,7 @@ t/03-keygen.t
+ t/04-pem.t
+ t/06-fips.t
+ t/07-openid.t
++t/08-cve-2026-12205.t
+ xt/meta.t
+ xt/pmv.t
+ xt/pod.t
+--- t/08-cve-2026-12205.t
++++ t/08-cve-2026-12205.t
+@@ -0,0 +1,49 @@
++use strict;
++use warnings;
++use Test::More;
++use Crypt::DSA;
++use Crypt::DSA::Util qw( bin2mp );
++use Digest::SHA qw( sha1 );
++use Math::BigInt;
++#
++# Crypt::DSA k-reuse (DSA nonce reuse) -> full private-key recovery test.
++
++my $dsa = Crypt::DSA->new();
++isa_ok($dsa, 'Crypt::DSA');
++
++my $key = $dsa->keygen( Size => 512 );
++
++my $msg1 = "transfer \$10 to alice";
++my $msg2 = "transfer \$10000 to mallory";
++
++my $sig1 = $dsa->sign( Message => $msg1, Key => $key );
++my $sig2 = $dsa->sign( Message => $msg2, Key => $key );
++
++my $q = Math::BigInt->new( $key->q->bstr );
++my $r1 = Math::BigInt->new( $sig1->r->bstr );
++my $r2 = Math::BigInt->new( $sig2->r->bstr );
++my $s1 = Math::BigInt->new( $sig1->s->bstr );
++my $s2 = Math::BigInt->new( $sig2->s->bstr );
++
++ok ( $r1 != $r2, "nonce k was regenerated per signature.");
++
++# message representatives, exactly as sign() computes them:
++#   m = bin2mp(sha1(Message))   (no reduction; final result is mod q)
++my $m1 = Math::BigInt->new( bin2mp( sha1($msg1) )->bstr );
++my $m2 = Math::BigInt->new( bin2mp( sha1($msg2) )->bstr );
++
++# k = (m1 - m2) * (s1 - s2)^-1 mod q
++my $num = ( $m1 - $m2 ) % $q;
++my $den = ( ( $s1 - $s2 ) % $q )->bmodinv($q);
++my $k   = ( $num * $den ) % $q;
++
++# x = (s1*k - m1) * r^-1 mod q
++my $rinv = $r1->copy->bmodinv($q);
++my $x    = ( ( ( $s1 * $k - $m1 ) % $q ) * $rinv ) % $q;
++$x += $q while $x < 0;
++
++my $real_x = Math::BigInt->new( $key->priv_key->bstr );
++
++ok ( $x ne $real_x, "Recovered private key does not match the real private key");
++
++done_testing()

diff --git a/perl-Crypt-DSA.spec b/perl-Crypt-DSA.spec
index 1b7bae4..5526c20 100644
--- a/perl-Crypt-DSA.spec
+++ b/perl-Crypt-DSA.spec
@@ -1,7 +1,7 @@
 Summary:	Perl module for DSA signatures and key generation
 Name:		perl-Crypt-DSA
 Version:	1.17
-Release:	29%{?dist}
+Release:	30%{?dist}
 License:	GPL-1.0-or-later OR Artistic-1.0-Perl
 Url:		https://metacpan.org/release/Crypt-DSA
 Source0:	https://cpan.metacpan.org/modules/by-module/Crypt/Crypt-DSA-%{version}.tar.gz
@@ -9,6 +9,7 @@ Patch0:		remove-fallback.patch
 Patch1:		Crypt-DSA-1.17-CVE-2026-8700.patch
 Patch2:		Crypt-DSA-1.17-CVE-2026-8704.patch
 Patch3:		Crypt-DSA-1.17-tidy.patch
+Patch4:		Crypt-DSA-1.17-CVE-2026-12205.patch
 BuildArch:	noarch
 # Module Build
 BuildRequires:	coreutils
@@ -94,6 +95,9 @@ sed -i -e '/^inc\// d' MANIFEST
 # - Fix typo in Crypt::DSA::Util
 %patch -P3 -p1
 
+# Fix key material reuse for multiple signing events (CVE-2026-12205, CWE-323)
+%patch -P4
+
 %build
 perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1
 %{make_build}
@@ -118,6 +122,9 @@ make test AUTOMATED_TESTING=1
 %{_mandir}/man3/Crypt::DSA::Util.3*
 
 %changelog
+* Mon Jun 15 2026 Paul Howarth <paul@city-fan.org> - 1.17-30
+- Fix key material reuse for multiple signing events (CVE-2026-12205, CWE-323)
+
 * Mon May 18 2026 Paul Howarth <paul@city-fan.org> - 1.17-29
 - Replace use of cryptographically-insecure rand() function (CVE-2026-8700);
   use Crypt::URandom instead, which has a backend that calls getrandom() on

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-15 11:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-15 11:36 [rpms/perl-Crypt-DSA] epel9: Fix key material reuse for multiple signing events (CVE-2026-12205, CWE-323) Paul Howarth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox