Report forwarded
to debian-bugs-dist@lists.debian.org, Dima Barsky <dima@debian.org>: Bug#511515; Package m2crypto.
(Sun, 11 Jan 2009 19:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to Dima Barsky <dima@debian.org>.
(Sun, 11 Jan 2009 19:18:04 GMT) (full text, mbox, link).
Package: m2crypto
Severity: important
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl. Your package seems to
be calling a few of them:
In SWIG/_evp.i, in verify_final() there is a call to EVP_VerifyFinal
and just return that. M2Crypto/EVP.py seems to document that
as only returning 0 for failure but it can also return -1 on failure.
There are also calls to DSA_verify(), ECDSA_verify(), DSA_do_verify()
and ECDSA_do_verify() that seem to think that -1 means error,
and then return the return code. But 0 is also an error case.
For all the functions mentioned, 0 and -1 are errors, 1 mean success.
I have no idea how this is being used. I think this is being used
by other packages in Debian (dtc-xen, python-pyxmpp) that might
need to be checked instead.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Dima Barsky <dima@debian.org>: Bug#511515; Package m2crypto.
(Thu, 29 Jan 2009 23:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Dima Barsky <dima@debian.org>.
(Thu, 29 Jan 2009 23:33:04 GMT) (full text, mbox, link).
On Sun, Jan 11, 2009 at 08:17:24PM +0100, Kurt Roeckx wrote:
> Package: m2crypto
> Severity: important
> Tags: security
>
> Hi,
>
> I've been checking packages to see if they properly check the return
> value of some of the functions in openssl. Your package seems to
> be calling a few of them:
>
> In SWIG/_evp.i, in verify_final() there is a call to EVP_VerifyFinal
> and just return that. M2Crypto/EVP.py seems to document that
> as only returning 0 for failure but it can also return -1 on failure.
>
> There are also calls to DSA_verify(), ECDSA_verify(), DSA_do_verify()
> and ECDSA_do_verify() that seem to think that -1 means error,
> and then return the return code. But 0 is also an error case.
>
> For all the functions mentioned, 0 and -1 are errors, 1 mean success.
>
> I have no idea how this is being used. I think this is being used
> by other packages in Debian (dtc-xen, python-pyxmpp) that might
> need to be checked instead.
There might be simular problems with calls like X509_REQ_verify
and X509_verify.
Kurt
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.