Debian Bug report logs - #511509
tqsllib: Improper checking of the return value of EVP_VerifyFinal()

version graph

Package: tqsllib; Maintainer for tqsllib is Debian Hamradio Maintainers <debian-hams@lists.debian.org>;

Reported by: Kurt Roeckx <kurt@roeckx.be>

Date: Sun, 11 Jan 2009 18:57:01 UTC

Severity: serious

Tags: security

Fixed in version tqsllib/2.0-8

Done: Joop Stakenborg <pa3aba@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Hamradio Maintainers <debian-hams@lists.debian.org>:
Bug#511509; Package tqsllib. (Sun, 11 Jan 2009 18:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to Debian Hamradio Maintainers <debian-hams@lists.debian.org>. (Sun, 11 Jan 2009 18:57:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: submit@bugs.debian.org
Subject: tqsllib: Improper checking of the return value of EVP_VerifyFinal()
Date: Sun, 11 Jan 2009 19:56:14 +0100
Package: tqsllib
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  In openssl_cert.cpp
there is this piece of code:
        if (!EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key)) {
                tQSL_Error = TQSL_OPENSSL_ERROR;
                return 1;
        }

But EVP_VerifyFinal can return -1 on errors too.  A good way to check
the value would be something like:
        if (EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key) <= 0) {

I have no idea if this code is being used and what the consequences
of this might be.


Kurt





Reply sent to Joop Stakenborg <pa3aba@debian.org>:
You have taken responsibility. (Sat, 17 Jan 2009 18:09:20 GMT) Full text and rfc822 format available.

Notification sent to Kurt Roeckx <kurt@roeckx.be>:
Bug acknowledged by developer. (Sat, 17 Jan 2009 18:09:20 GMT) Full text and rfc822 format available.

Message #10 received at 511509-close@bugs.debian.org (full text, mbox):

From: Joop Stakenborg <pa3aba@debian.org>
To: 511509-close@bugs.debian.org
Subject: Bug#511509: fixed in tqsllib 2.0-8
Date: Sat, 17 Jan 2009 18:02:09 +0000
Source: tqsllib
Source-Version: 2.0-8

We believe that the bug you reported is fixed in the latest version of
tqsllib, which is due to be installed in the Debian FTP archive:

tqsllib-dev_2.0-8_i386.deb
  to pool/main/t/tqsllib/tqsllib-dev_2.0-8_i386.deb
tqsllib1c2a_2.0-8_i386.deb
  to pool/main/t/tqsllib/tqsllib1c2a_2.0-8_i386.deb
tqsllib_2.0-8.diff.gz
  to pool/main/t/tqsllib/tqsllib_2.0-8.diff.gz
tqsllib_2.0-8.dsc
  to pool/main/t/tqsllib/tqsllib_2.0-8.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joop Stakenborg <pa3aba@debian.org> (supplier of updated tqsllib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Jan 2009 18:53:39 +0100
Source: tqsllib
Binary: tqsllib1c2a tqsllib-dev
Architecture: source i386
Version: 2.0-8
Distribution: unstable
Urgency: low
Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Changed-By: Joop Stakenborg <pa3aba@debian.org>
Description: 
 tqsllib-dev - QSL signing library development files
 tqsllib1c2a - QSL signing routines for the Logbook of the World (LoTW)
Closes: 511509
Changes: 
 tqsllib (2.0-8) unstable; urgency=low
 .
   * Check return value of EVP_VerifyFinal correctly. Closes: #511509.
Checksums-Sha1: 
 169f0eb8b4df4116f4a1b56276182377f967afe2 1197 tqsllib_2.0-8.dsc
 9ef6b36f2c3f6608b890d97f55d1d935a8fc42c3 47798 tqsllib_2.0-8.diff.gz
 37bab52c77d3dfe45ed9e0d30bf74448a2135e7d 163516 tqsllib1c2a_2.0-8_i386.deb
 48f9f607f086525b403a2b1dfd50c09a0f01e0bc 214772 tqsllib-dev_2.0-8_i386.deb
Checksums-Sha256: 
 d1ddb32c85dcbef8af0d756c4916f23348864f80b6218e09d2fd597b486bdf87 1197 tqsllib_2.0-8.dsc
 412e9f6830305304efd533eba07f35db968f851b3ef5fd89a0ac1d24a2f64a90 47798 tqsllib_2.0-8.diff.gz
 26d3726fce0c837be448850c3b620fa40650e94e5a1cf4a64cb38448ea021e83 163516 tqsllib1c2a_2.0-8_i386.deb
 7b9e16c6d338e855fa551ee05cabfa0d7a4a5a29d890a3954518534d8e504c4e 214772 tqsllib-dev_2.0-8_i386.deb
Files: 
 7689244984e137010d6659509ca3421b 1197 libs optional tqsllib_2.0-8.dsc
 3ffd56b389d2702ad470351acab72a21 47798 libs optional tqsllib_2.0-8.diff.gz
 76b32974eb35ce47c86d1493b4041131 163516 libs optional tqsllib1c2a_2.0-8_i386.deb
 b7f0a377b8dbf49de8a239d44301fe54 214772 devel optional tqsllib-dev_2.0-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklyHCIACgkQ/CqtjGLxpX+9vwCeLofgkFwlMtiOOitYEf193IDa
KXAAnjZFSC/hh12BZm4pOTSyYsbOPkXX
=aXeP
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 07:46:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:09:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.