Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

librnp: Weak random number generation — GLSA 202511-07

librnp uses weak random number generation such that generated keys can be easily cracked.

Affected packages

Package dev-util/librnp on all architectures
Affected versions = 0.18.0
Unaffected versions >= 0.18.1
< 0.18

Background

librnp is a high performance C++ OpenPGP library.

Description

The affected librnp version generated weak session keys for its public key encryption (PKESK) mode.

Impact

Messages encrypted using the affected librnp version might be readable by an attacker with just the public key.

Workaround

There is no known workaround at this time.

Resolution

All librnp users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-util/librnp-0.18.1"

If sensitive information was sent using e.g. Thunderbird (with USE=system-librnp, the default), it should be considered potentially viewable by an attacker.

References

Release date
November 26, 2025

Latest revision
November 26, 2025: 1

Severity
high

Exploitable
local and remote

Bugzilla entries