Skip Menu |
 

This queue is for tickets about the Crypt-OpenSSL-DSA CPAN distribution.

Report information
The Basics
Id: 79958
Status: resolved
Priority: 0/
Queue: Crypt-OpenSSL-DSA

People
Owner: Nobody in particular
Requestors: he [...] NetBSD.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CVE-2009-0129: Missing error check in do_verify
Date: Tue, 02 Oct 2012 09:47:06 +0200 (CEST)
To: bug-Crypt-OpenSSL-DSA [...] rt.cpan.org
From: Havard Eidnes <he [...] NetBSD.org>
Download (untitled) / with headers
text/plain 471b
Hi, it appears that your package has been listed in CVE, ref. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0129 I beleive the two attached patches fixes this particular problem, it is taken from Debian, ref. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519 and in particular http://launchpadlibrarian.net/22398531/libcrypt-openssl-dsa-perl_0.13-3_0.13-4.diff.gz I hope you can find the time to apply this small fix. Best regards, - Havard
Download patch-DSA.xs
text/x-csrc 473b
$NetBSD$ Croak in do_verify() if the openssl library returns an error, similar to what is already done in verify(). --- DSA.xs.orig 2005-05-22 20:14:52.000000000 +0000 +++ DSA.xs @@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig) CODE: dgst_pv = SvPV(dgst, dgst_len); RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa); + if (RETVAL == -1) + croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL)); OUTPUT: RETVAL
$NetBSD$ Document that the verify and do_verify methods will croak on library errors. --- lib/Crypt/OpenSSL/DSA.pm.orig 2005-10-15 21:38:04.000000000 +0000 +++ lib/Crypt/OpenSSL/DSA.pm @@ -124,10 +124,14 @@ Verifies that the $sig signature for $me $dsa is the signer's public key. +Note: it croaks if the underlying library call returns error (-1). + =item $valid = $dsa->do_verify( $message, $sig_obj ); Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object. +Note: it croaks if the underlying library call returns error (-1). + =item $dsa->write_params( $filename ); Writes the parameters into a PEM file.
Thank you, patch applied, should be in version 0.14 which should be on CPAN in next few hours.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.