Debian Bug report logs - #511515
m2crypto: openssl return values.

Package: m2crypto; Maintainer for m2crypto is Dima Barsky <dima@debian.org>;

Reported by: Kurt Roeckx <kurt@roeckx.be>

Date: Sun, 11 Jan 2009 19:18:01 UTC

Severity: important

Tags: security

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dima Barsky <dima@debian.org>:
Bug#511515; Package m2crypto. (Sun, 11 Jan 2009 19:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to Dima Barsky <dima@debian.org>. (Sun, 11 Jan 2009 19:18:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: submit@bugs.debian.org
Subject: m2crypto: openssl return values.
Date: Sun, 11 Jan 2009 20:17:24 +0100
Package: m2crypto
Severity: important
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  Your package seems to
be calling a few of them:

In SWIG/_evp.i, in verify_final() there is a call to EVP_VerifyFinal
and just return that.  M2Crypto/EVP.py seems to document that
as only returning 0 for failure but it can also return -1 on failure.

There are also calls to DSA_verify(), ECDSA_verify(), DSA_do_verify()
and ECDSA_do_verify() that seem to think that -1 means error,
and then return the return code.  But 0 is also an error case.

For all the functions mentioned, 0 and -1 are errors, 1 mean success.

I have no idea how this is being used.  I think this is being used
by other packages in Debian (dtc-xen, python-pyxmpp) that might
need to be checked instead.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Dima Barsky <dima@debian.org>:
Bug#511515; Package m2crypto. (Thu, 29 Jan 2009 23:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Dima Barsky <dima@debian.org>. (Thu, 29 Jan 2009 23:33:04 GMT) Full text and rfc822 format available.

Message #10 received at 511515@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: 511515@bugs.debian.org
Subject: Re: m2crypto: openssl return values.
Date: Fri, 30 Jan 2009 00:30:50 +0100
On Sun, Jan 11, 2009 at 08:17:24PM +0100, Kurt Roeckx wrote:
> Package: m2crypto
> Severity: important
> Tags: security
> 
> Hi,
> 
> I've been checking packages to see if they properly check the return
> value of some of the functions in openssl.  Your package seems to
> be calling a few of them:
> 
> In SWIG/_evp.i, in verify_final() there is a call to EVP_VerifyFinal
> and just return that.  M2Crypto/EVP.py seems to document that
> as only returning 0 for failure but it can also return -1 on failure.
> 
> There are also calls to DSA_verify(), ECDSA_verify(), DSA_do_verify()
> and ECDSA_do_verify() that seem to think that -1 means error,
> and then return the return code.  But 0 is also an error case.
> 
> For all the functions mentioned, 0 and -1 are errors, 1 mean success.
> 
> I have no idea how this is being used.  I think this is being used
> by other packages in Debian (dtc-xen, python-pyxmpp) that might
> need to be checked instead.

There might be simular problems with calls like X509_REQ_verify
and X509_verify.


Kurt





Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 04:01:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.