head 1.1; access; symbols pkgsrc-2026Q2:1.1.0.2; locks; strict; comment @# @; 1.1 date 2026.06.26.17.01.30; author wiz; state Exp; branches 1.1.2.1; next ; commitid MSSBTfFsi7ROwkLG; 1.1.2.1 date 2026.06.26.17.01.30; author bsiegert; state dead; branches; next 1.1.2.2; commitid ZMrv95wqIb3MVALG; 1.1.2.2 date 2026.06.28.18.25.36; author bsiegert; state Exp; branches; next ; commitid ZMrv95wqIb3MVALG; desc @@ 1.1 log @p5-Bytes-Random-Secure: fix CVE-2026-11625. Bump PKGREVISION. @ text @$NetBSD$ Fix CVE-2026-11625. https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch --- lib/Bytes/Random/Secure.pm.orig 2015-07-13 04:38:06.000000000 +0000 +++ lib/Bytes/Random/Secure.pm @@@@ -156,6 +156,7 @@@@ sub _build_attributes { $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default; } + $self->{_pid} = $$; $self->{_RNG} = undef; # Lazy initialization. return $self; } @@@@ -171,6 +172,8 @@@@ sub _instantiate_rng { my @@seeds = $self->_generate_seed( %seed_opts ); $self->{_RNG} = Math::Random::ISAAC->new(@@seeds); + $self->{_pid} = $$; + return $self->{_RNG}; } @@@@ -224,7 +227,7 @@@@ sub bytes { $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes. $self->_validate_int( $bytes ); # Throws on violation. - $self->_instantiate_rng unless defined $self->{_RNG}; + $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; my $str = ''; @@@@ -302,7 +305,7 @@@@ sub _ranged_randoms { $count = defined $count ? $count : 0; # Lazily seed the RNG so we don't waste available strong entropy. - $self->_instantiate_rng unless defined $self->{_RNG}; + $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; my $divisor = $self->_closest_divisor($range); @@@@ -354,7 +357,7 @@@@ sub irand { sub irand { my( $self ) = @@_; - $self->_instantiate_rng unless defined $self->{_RNG}; + $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; return $self->{_RNG}->irand; } @ 1.1.2.1 log @file patch-lib_Bytes_Random_Secure.pm was added on branch pkgsrc-2026Q2 on 2026-06-28 18:25:36 +0000 @ text @d1 51 @ 1.1.2.2 log @Pullup ticket #7147 - requested by taca security/p5-Bytes-Random-Secure: security fix Revisions pulled up: - security/p5-Bytes-Random-Secure/Makefile 1.17 - security/p5-Bytes-Random-Secure/distinfo 1.7 - security/p5-Bytes-Random-Secure/patches/patch-lib_Bytes_Random_Secure.pm 1.1 --- Module Name: pkgsrc Committed By: wiz Date: Fri Jun 26 17:01:30 UTC 2026 Modified Files: pkgsrc/security/p5-Bytes-Random-Secure: Makefile distinfo Added Files: pkgsrc/security/p5-Bytes-Random-Secure/patches: patch-lib_Bytes_Random_Secure.pm Log Message: p5-Bytes-Random-Secure: fix CVE-2026-11625. Bump PKGREVISION. @ text @a0 51 $NetBSD: patch-lib_Bytes_Random_Secure.pm,v 1.1 2026/06/26 17:01:30 wiz Exp $ Fix CVE-2026-11625. https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch --- lib/Bytes/Random/Secure.pm.orig 2015-07-13 04:38:06.000000000 +0000 +++ lib/Bytes/Random/Secure.pm @@@@ -156,6 +156,7 @@@@ sub _build_attributes { $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default; } + $self->{_pid} = $$; $self->{_RNG} = undef; # Lazy initialization. return $self; } @@@@ -171,6 +172,8 @@@@ sub _instantiate_rng { my @@seeds = $self->_generate_seed( %seed_opts ); $self->{_RNG} = Math::Random::ISAAC->new(@@seeds); + $self->{_pid} = $$; + return $self->{_RNG}; } @@@@ -224,7 +227,7 @@@@ sub bytes { $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes. $self->_validate_int( $bytes ); # Throws on violation. - $self->_instantiate_rng unless defined $self->{_RNG}; + $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; my $str = ''; @@@@ -302,7 +305,7 @@@@ sub _ranged_randoms { $count = defined $count ? $count : 0; # Lazily seed the RNG so we don't waste available strong entropy. - $self->_instantiate_rng unless defined $self->{_RNG}; + $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; my $divisor = $self->_closest_divisor($range); @@@@ -354,7 +357,7 @@@@ sub irand { sub irand { my( $self ) = @@_; - $self->_instantiate_rng unless defined $self->{_RNG}; + $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; return $self->{_RNG}->irand; } @