Debian Bug report logs - #511519
libcrypt-openssl-dsa-perl: return values of openssl functions.

version graph

Package: libcrypt-openssl-dsa-perl; Maintainer for libcrypt-openssl-dsa-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libcrypt-openssl-dsa-perl is src:libcrypt-openssl-dsa-perl.

Reported by: Kurt Roeckx <kurt@roeckx.be>

Date: Sun, 11 Jan 2009 19:39:02 UTC

Severity: serious

Tags: security

Fixed in version libcrypt-openssl-dsa-perl/0.13-4

Done: Damyan Ivanov <dmn@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=2545158&group_id=73194&atid=537053

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Sun, 11 Jan 2009 19:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sun, 11 Jan 2009 19:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: submit@bugs.debian.org
Subject: libcrypt-openssl-dsa-perl: return values of openssl functions.
Date: Sun, 11 Jan 2009 20:36:34 +0100
Package: libcrypt-openssl-dsa-perl
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.

It seems that your package calls functions like DSA_verify
and DSA_do_verify and just returns those values.  Looking
at the documentation, it seems to suggest that != 0 would
mean that it was succesful.

However those functions can also return -1 on failure.  This
would then mean that other applications making use of this
could wrongly check the return value.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Sun, 11 Jan 2009 21:57:05 GMT) Full text and rfc822 format available.

Message #8 received at 511519@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 511519@bugs.debian.org, 511519-submitter@bugs.debian.org
Subject: Bug in libcrypt-openssl-dsa-perl fixed in revision 29567
Date: Sun, 11 Jan 2009 21:56:07 +0000
tag 511519 + pending
thanks

Some bugs are closed in revision 29567
by Ryan Niebur (ryan52-guest)

Commit message:

check the return code of DSA_do_verify, and croak on error (Closes:
#511519)




Tags added: pending Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Sun, 11 Jan 2009 21:57:07 GMT) Full text and rfc822 format available.

Message sent on to Kurt Roeckx <kurt@roeckx.be>:
Bug#511519. (Sun, 11 Jan 2009 21:57:09 GMT) Full text and rfc822 format available.

Information stored :
Bug#511519; Package libcrypt-openssl-dsa-perl. (Mon, 12 Jan 2009 00:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and filed, but not forwarded. (Mon, 12 Jan 2009 00:12:08 GMT) Full text and rfc822 format available.

Message #18 received at 511519-quiet@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: pkg-perl-maintainers@lists.alioth.debian.org, 511519-quiet@bugs.debian.org
Subject: Re: Bug#511519: Bug in libcrypt-openssl-dsa-perl fixed in revision 29567
Date: Mon, 12 Jan 2009 01:10:00 +0100
On Sun, Jan 11, 2009 at 09:56:07PM +0000, pkg-perl-maintainers@lists.alioth.debian.org wrote:
> tag 511519 + pending
> thanks
> 
> Some bugs are closed in revision 29567
> by Ryan Niebur (ryan52-guest)
> 
> Commit message:
> 
> check the return code of DSA_do_verify, and croak on error (Closes:
> #511519)

I'm not really sure what changed here.  But where DSA_verify() is called
now, it already calls croak() in case of -1.  But it should probably
also complain that it was an incorrect signature in case it returns 0
and change the RETVAL to 0 in case it was -1.

The documentation isn't really clear, it just says:
	my $valid = $dsa_pub->do_verify($message, $sig_obj);
And:
  my $valid    = $dsa_pub->verify($message, $sig);

It doesn't document the possible return codes, so when I read
that I assume it will be != 0 in case it's valid.  Either it
needs to be documented properly that it can return -1 and then
check all the code that might be using it wrong,  or it needs
to change the -1 to 0.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Mon, 12 Jan 2009 02:30:02 GMT) Full text and rfc822 format available.

Message #21 received at 511519@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 511519@bugs.debian.org, 511519-submitter@bugs.debian.org
Subject: Bug in libcrypt-openssl-dsa-perl fixed in revision 29568
Date: Mon, 12 Jan 2009 02:28:42 +0000
tag 511519 + pending
thanks

Some bugs are closed in revision 29568
by Ryan Niebur (ryan52-guest)

Commit message:

Fix man page to specify that an error happened when the return value
for verify is -1 (Closes: #511519)




Tags added: pending Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 12 Jan 2009 02:30:03 GMT) Full text and rfc822 format available.

Message sent on to Kurt Roeckx <kurt@roeckx.be>:
Bug#511519. (Mon, 12 Jan 2009 02:30:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Mon, 12 Jan 2009 18:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 12 Jan 2009 18:03:03 GMT) Full text and rfc822 format available.

Message #31 received at 511519@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: pkg-perl-maintainers@lists.alioth.debian.org, 511519@bugs.debian.org
Subject: Re: Bug#511519: Bug in libcrypt-openssl-dsa-perl fixed in revision 29568
Date: Mon, 12 Jan 2009 19:00:50 +0100
On Mon, Jan 12, 2009 at 02:28:42AM +0000, pkg-perl-maintainers@lists.alioth.debian.org wrote:
> tag 511519 + pending
> thanks
> 
> Some bugs are closed in revision 29568
> by Ryan Niebur (ryan52-guest)
> 
> Commit message:
> 
> Fix man page to specify that an error happened when the return value
> for verify is -1 (Closes: #511519)

Please don't change the documentation about something like that
without talking to upstream.  In my opinion you're changing
documentation just to match reality while people might be
depending on the current documentation.  I don't think documenting
wrong behaviour is useful.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Tue, 13 Jan 2009 03:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ryan Niebur <ryanryan52@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 13 Jan 2009 03:12:03 GMT) Full text and rfc822 format available.

Message #36 received at 511519@bugs.debian.org (full text, mbox):

From: Ryan Niebur <ryanryan52@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 511519@bugs.debian.org
Subject: Re: Bug#511519: Bug in libcrypt-openssl-dsa-perl fixed in revision 29568
Date: Mon, 12 Jan 2009 19:10:29 -0800
[Message part 1 (text/plain, inline)]
tag 511519 - pending
thanks

Hi,

On Mon, Jan 12, 2009 at 07:00:50PM +0100, Kurt Roeckx wrote:
> 
> Please don't change the documentation about something like that
> without talking to upstream.  In my opinion you're changing
> documentation just to match reality while people might be
> depending on the current documentation.  I don't think documenting
> wrong behaviour is useful.
> 

ya, ok, I don't have enough time to do that right now, so some other
member of the pkg-perl team will have to deal with this.

sorry for wasting your time...

Thanks,
Ryan

-- 
_________________________
Ryan Niebur
ryanryan52@gmail.com
[signature.asc (application/pgp-signature, inline)]

Tags removed: pending Request was from Ryan Niebur <ryanryan52@gmail.com> to control@bugs.debian.org. (Wed, 28 Jan 2009 21:36:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Wed, 28 Jan 2009 22:09:03 GMT) Full text and rfc822 format available.

Message #41 received at 511519@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: Kurt Roeckx <kurt@roeckx.be>, 511519@bugs.debian.org
Subject: Re: Bug#511519: libcrypt-openssl-dsa-perl: return values of openssl functions.
Date: Wed, 28 Jan 2009 23:52:18 +0200
[Message part 1 (text/plain, inline)]
Hi Kurt,

-=| Kurt Roeckx, Sun, Jan 11, 2009 at 08:36:34PM +0100 |=-
> Package: libcrypt-openssl-dsa-perl
> Severity: serious
> Tags: security
> 
> I've been checking packages to see if they properly check the return
> value of some of the functions in openssl.
> 
> It seems that your package calls functions like DSA_verify
> and DSA_do_verify and just returns those values.  Looking
> at the documentation, it seems to suggest that != 0 would
> mean that it was succesful.

This is my impression too.

> However those functions can also return -1 on failure.  This
> would then mean that other applications making use of this
> could wrongly check the return value.

Since $dsa->verify(...) croaks in underlying OpenSSL call returns -1, 
it seems to me that croaking in do_verify(...) is the right thing to 
do.

From what I understand, verify() and do_verify() only differ in what 
they accept as parameters, otherwise the semantic is the same -- 
verify a signature.

Does in your opinion (1) patching do_verify() to croak if underlaying 
library call returns -1, (2) documenting the fact that both verify() 
and do_verify() may croak and (3) sending the patch upstream, would 
fix the bug?


Thanks for your help!

-- 
dam            JabberID: dam@jabber.minus273.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Wed, 28 Jan 2009 22:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 28 Jan 2009 22:15:05 GMT) Full text and rfc822 format available.

Message #46 received at 511519@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Damyan Ivanov <dmn@debian.org>, 511519@bugs.debian.org
Subject: Re: Bug#511519: libcrypt-openssl-dsa-perl: return values of openssl functions.
Date: Wed, 28 Jan 2009 23:12:20 +0100
On Wed, Jan 28, 2009 at 11:52:18PM +0200, Damyan Ivanov wrote:
> > However those functions can also return -1 on failure.  This
> > would then mean that other applications making use of this
> > could wrongly check the return value.
> 
> Since $dsa->verify(...) croaks in underlying OpenSSL call returns -1, 
> it seems to me that croaking in do_verify(...) is the right thing to 
> do.
> 
> From what I understand, verify() and do_verify() only differ in what 
> they accept as parameters, otherwise the semantic is the same -- 
> verify a signature.
> 
> Does in your opinion (1) patching do_verify() to croak if underlaying 
> library call returns -1, (2) documenting the fact that both verify() 
> and do_verify() may croak and (3) sending the patch upstream, would 
> fix the bug?

I have no idea what croak does exactly, but if it's some
mechanisme to report error conditions, like a throw in C++,
it might be a good way of doing it.

But then I have to wonder why croak isn't called in case
of a 0 return value.  Both 0 and -1 are error cases.  And
most applications don't care if 0 or -1 was returned.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Wed, 28 Jan 2009 22:48:07 GMT) Full text and rfc822 format available.

Message #49 received at 511519@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@deian.org>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 511519@bugs.debian.org
Subject: Re: Bug#511519: libcrypt-openssl-dsa-perl: return values of openssl functions.
Date: Thu, 29 Jan 2009 00:43:48 +0200
[Message part 1 (text/plain, inline)]
-=| Kurt Roeckx, Wed, Jan 28, 2009 at 11:12:20PM +0100 |=-
> On Wed, Jan 28, 2009 at 11:52:18PM +0200, Damyan Ivanov wrote:
> > > However those functions can also return -1 on failure.  This
> > > would then mean that other applications making use of this
> > > could wrongly check the return value.
> > 
> > Since $dsa->verify(...) croaks in underlying OpenSSL call returns -1, 
> > it seems to me that croaking in do_verify(...) is the right thing to 
> > do.
> > 
> > From what I understand, verify() and do_verify() only differ in what 
> > they accept as parameters, otherwise the semantic is the same -- 
> > verify a signature.
> > 
> > Does in your opinion (1) patching do_verify() to croak if underlaying 
> > library call returns -1, (2) documenting the fact that both verify() 
> > and do_verify() may croak and (3) sending the patch upstream, would 
> > fix the bug?
> 
> I have no idea what croak does exactly, but if it's some
> mechanisme to report error conditions, like a throw in C++,
> it might be a good way of doing it.

Sufficiently similar, yes.

> But then I have to wonder why croak isn't called in case
> of a 0 return value.  Both 0 and -1 are error cases.  And
> most applications don't care if 0 or -1 was returned.

From crypto/dsa/dsa_vrf.c (openssl source):

    /* returns
     *      1: correct signature
     *      0: incorrect signature
     *     -1: error
     */
(and this is for both verify() and do_verify()

I think the intention in the perl wrappers is to mimic underlaying 
functionality -- tell you if a signature is valid via the return value 
-- except that it throws an exception if -1 is returned in order to 
signal the error condition.

So I think my propposal above is still good for Crypt::OpenSSL::DSA. 
Whether the code that uses it checks the [do_]verify() return code (or 
is prepared to handle the exception) is a whole new research.

The only package declaring dependency on libcrypt-openssl-dsa-perl is 
libnet-dns-sec-perl.

-- 
dam            JabberID: dam@jabber.minus273.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#511519; Package libcrypt-openssl-dsa-perl. (Thu, 29 Jan 2009 10:33:07 GMT) Full text and rfc822 format available.

Message #52 received at 511519@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 511519@bugs.debian.org, 511519-submitter@bugs.debian.org
Subject: Bug in libcrypt-openssl-dsa-perl fixed in revision 30225
Date: Thu, 29 Jan 2009 10:22:27 +0000
tag 511519 + pending
thanks

Some bugs are closed in revision 30225
by Damyan Ivanov (dmn)

Commit message:

add security_croak-in-do_verify-too.patch making do_verify() croak on
error the same way varify() already does. Document that verify() and
do_verify() croak on errors.
Closes: #511519. Thanks to Kurt Roeckx




Tags added: pending Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 29 Jan 2009 10:33:10 GMT) Full text and rfc822 format available.

Message sent on to Kurt Roeckx <kurt@roeckx.be>:
Bug#511519. (Thu, 29 Jan 2009 10:33:14 GMT) Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=2545158&group_id=73194&atid=537053. Request was from Damyan Ivanov <dmn@debian.org> to control@bugs.debian.org. (Thu, 29 Jan 2009 10:45:02 GMT) Full text and rfc822 format available.

Reply sent to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility. (Mon, 02 Feb 2009 10:54:03 GMT) Full text and rfc822 format available.

Notification sent to Kurt Roeckx <kurt@roeckx.be>:
Bug acknowledged by developer. (Mon, 02 Feb 2009 10:54:03 GMT) Full text and rfc822 format available.

Message #64 received at 511519-close@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: 511519-close@bugs.debian.org
Subject: Bug#511519: fixed in libcrypt-openssl-dsa-perl 0.13-4
Date: Mon, 02 Feb 2009 10:32:10 +0000
Source: libcrypt-openssl-dsa-perl
Source-Version: 0.13-4

We believe that the bug you reported is fixed in the latest version of
libcrypt-openssl-dsa-perl, which is due to be installed in the Debian FTP archive:

libcrypt-openssl-dsa-perl_0.13-4.diff.gz
  to pool/main/libc/libcrypt-openssl-dsa-perl/libcrypt-openssl-dsa-perl_0.13-4.diff.gz
libcrypt-openssl-dsa-perl_0.13-4.dsc
  to pool/main/libc/libcrypt-openssl-dsa-perl/libcrypt-openssl-dsa-perl_0.13-4.dsc
libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
  to pool/main/libc/libcrypt-openssl-dsa-perl/libcrypt-openssl-dsa-perl_0.13-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libcrypt-openssl-dsa-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Feb 2009 12:02:51 +0200
Source: libcrypt-openssl-dsa-perl
Binary: libcrypt-openssl-dsa-perl
Architecture: source amd64
Version: 0.13-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description: 
 libcrypt-openssl-dsa-perl - module which implements the DSA signature verification system
Closes: 511519
Changes: 
 libcrypt-openssl-dsa-perl (0.13-4) unstable; urgency=medium
 .
   * Medium urgency for fixing a security-related bug.
 .
   [ gregor herrmann ]
   * Add debian/README.source to document quilt usage, as required by
     Debian Policy since 3.8.0.
   * debian/control: Changed: Switched Vcs-Browser field to ViewSVN
     (source stanza).
 .
   [ Damyan Ivanov ]
   * add security_croak-in-do_verify-too.patch making do_verify() croak on
     error the same way verify() already does. Document that verify() and
     do_verify() croak on errors.
     Closes: #511519. Thanks to Kurt Roeckx
   * add description to Makefile.PL--no-ssl-in-LIBS.patch
   * add fix-manpage-errors.patch fixing missing =over/-back around =item's in
     Crypt::OpenSSL::DSA::Signature's POD.
   * Extend the long description a bit
   * Standards-Version: 3.8.0 (no changes)
Checksums-Sha1: 
 cd088776e41ff52aaa423d6f23bf4e43c09c03d0 1398 libcrypt-openssl-dsa-perl_0.13-4.dsc
 cc45424fbe4fd7f227673ab2511a701713bf37d6 3845 libcrypt-openssl-dsa-perl_0.13-4.diff.gz
 fc3585408538917a4fc9a66e73ef06986045c44a 27746 libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
Checksums-Sha256: 
 a38730d4d1f0e9aafd4d5edb644f09e23d159fbfebfc3eb3bdca6dcfabd966a9 1398 libcrypt-openssl-dsa-perl_0.13-4.dsc
 c57c4fed7136bf6fecf8df8dc8663594f8a62d8f8e8261e8afe4328fde93d792 3845 libcrypt-openssl-dsa-perl_0.13-4.diff.gz
 af14980461fafcb0eed21e345f602aec0299d714d0207c3e242a2bf87214a6cc 27746 libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
Files: 
 a22a337866c28b413366ff36d4a09e16 1398 perl optional libcrypt-openssl-dsa-perl_0.13-4.dsc
 e914a56f00f2298bdf810f37d5c88a2f 3845 perl optional libcrypt-openssl-dsa-perl_0.13-4.diff.gz
 a2ccc603efbd329aad4c3c68dd08dd67 27746 perl optional libcrypt-openssl-dsa-perl_0.13-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmGyvQACgkQHqjlqpcl9js7dwCgid0CME6ZeSXI2UIAthF6iJOY
R+AAnAxTqqwdi7fUaVwt+2kZNRUZUn9u
=qH/X
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:05:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:44:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.