Version in base suite: 0.54-1

Base version: libcrypt-urandom-perl_0.54-1
Target version: libcrypt-urandom-perl_0.54-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libcrypt-urandom-perl/libcrypt-urandom-perl_0.54-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libcrypt-urandom-perl/libcrypt-urandom-perl_0.54-1+deb13u1.dsc

 changelog                                |    7 ++++
 patches/0001-Fix-for-CVE-2026-2474.patch |   48 +++++++++++++++++++++++++++++++
 patches/series                           |    1 
 3 files changed, 56 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppvk01i6q/libcrypt-urandom-perl_0.54-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppvk01i6q/libcrypt-urandom-perl_0.54-1+deb13u1.dsc: no acceptable signature found
diff -Nru libcrypt-urandom-perl-0.54/debian/changelog libcrypt-urandom-perl-0.54/debian/changelog
--- libcrypt-urandom-perl-0.54/debian/changelog	2025-03-22 23:32:16.000000000 +0000
+++ libcrypt-urandom-perl-0.54/debian/changelog	2026-06-11 13:02:53.000000000 +0000
@@ -1,3 +1,10 @@
+libcrypt-urandom-perl (0.54-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-2474: heap buffer overflow in crypt_urandom_getrandom()
+
+ -- Adrian Bunk <bunk@debian.org>  Thu, 11 Jun 2026 16:02:53 +0300
+
 libcrypt-urandom-perl (0.54-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch
--- libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch	2026-06-11 11:29:19.000000000 +0000
@@ -0,0 +1,48 @@
+From 8e985a5137a789f281ab3c8004be832cfa46aec3 Mon Sep 17 00:00:00 2001
+From: David Dick <ddick@cpan.org>
+Date: Tue, 17 Feb 2026 06:58:54 +1100
+Subject: Fix for CVE-2026-2474
+
+---
+ URandom.xs | 3 +++
+ t/rand.t   | 9 ++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/URandom.xs b/URandom.xs
+index c39dc3b..7c57d22 100644
+--- a/URandom.xs
++++ b/URandom.xs
+@@ -38,6 +38,9 @@ crypt_urandom_getrandom(length)
+         char *data;
+         int result;
+     CODE:
++        if (length < 0) {
++            croak("The length argument cannot be less than 0");
++        }
+         Newx(data, length + 1u, char);
+       GETRANDOM:
+ #ifdef HAVE_CRYPT_URANDOM_NATIVE_GETRANDOM
+diff --git a/t/rand.t b/t/rand.t
+index 5b81fe9..98b918d 100644
+--- a/t/rand.t
++++ b/t/rand.t
+@@ -1,4 +1,4 @@
+-use Test::More tests => 10;
++use Test::More tests => 11;
+ use Crypt::URandom();
+ 
+ foreach my $correct (qw(500000 500 50)) {
+@@ -38,3 +38,10 @@ eval {
+ };
+ chomp $@;
+ ok($exception_thrown, "Correctly throws exception with non integer parameter:$@");
++$exception_thrown = 1;
++eval {
++	Crypt::URandom::getrandom(-1);
++	$exception_thrown = 0;
++};
++chomp $@;
++ok($exception_thrown, "getrandom correctly throws exception with less than zero parameter:$@");
+-- 
+2.47.3
+
diff -Nru libcrypt-urandom-perl-0.54/debian/patches/series libcrypt-urandom-perl-0.54/debian/patches/series
--- libcrypt-urandom-perl-0.54/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libcrypt-urandom-perl-0.54/debian/patches/series	2026-06-11 13:02:53.000000000 +0000
@@ -0,0 +1 @@
+0001-Fix-for-CVE-2026-2474.patch