Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list]
Message-ID: <af03595e2ef2fa6c4878240530e150c9@cpansec.org>
Date: Sat, 04 Jul 2026 22:33:26 -0300
From: Timothy Legge <timlegge@...nsec.org>
To: Cve Announce <cve-announce@...urity.metacpan.org>, Oss Security
 <oss-security@...ts.openwall.com>
Subject: CVE-2026-14570: Crypt::DSA versions before 1.22 for Perl draw the DSA
 signing nonce and private key from a biased random generator, leading to
 private-key recovery

========================================================================
CVE-2026-14570                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-14570
   Distribution:  Crypt-DSA
       Versions:  before 1.22

       MetaCPAN:  https://metacpan.org/dist/Crypt-DSA
       VCS Repo:  https://github.com/perl-Crypt-OpenPGP/Crypt-DSA


Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and
private key from a biased random generator, leading to private-key
recovery

Description
-----------
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and
private key from a biased random generator, leading to private-key
recovery.

"Crypt::DSA::Util::makerandom forces the high bit of every value it
returns to obtain an exactly N-bit integer for prime search. The
signing nonce and the private key are drawn from makerandom. Because
the high bit is always set, the result is not uniform: its top bit is
fixed, producing insecure values."

An attacker who collects a modest number of signatures under an
affected key, together with the public key, can recover the private key
with a lattice attack.

Keys used to sign with an affected version should be considered
compromised and new keys should be generated.

Problem types
-------------
- CWE-330 Use of Insufficiently Random Values

Solutions
---------
Upgrade to version 1.22 or later, which draws the nonce and private key
uniformly via rejection sampling (Crypt::DSA::Util::randombelow) with
no forced high bit.

Revoke and regenerate any keys used to sign with an affected version.

Crypt::DSA was deprecated in version 1.20. You should migrate to
another solution.


References
----------
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/source/lib/Crypt/DSA/Util.pm#L56
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/diff/TIMLEGGE/Crypt-DSA-1.21#lib/Crypt/DSA/Util.pm
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/changes


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.