Debian Bug report logs - #511520
erlang: openssl return values.

Package: erlang; Maintainer for erlang is Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>; Source for erlang is src:erlang.

Reported by: Kurt Roeckx <kurt@roeckx.be>

Date: Sun, 11 Jan 2009 19:45:01 UTC

Severity: serious

Tags: security

Done: "Sergei Golovan" <sgolovan@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Erlang Packagers <erlang-pkg-devel@lists.berlios.de>:
Bug#511520; Package erlang. (Sun, 11 Jan 2009 19:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to Erlang Packagers <erlang-pkg-devel@lists.berlios.de>. (Sun, 11 Jan 2009 19:45:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: submit@bugs.debian.org
Subject: erlang: openssl return values.
Date: Sun, 11 Jan 2009 20:41:57 +0100
Package: erlang
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  In
lib/crypto/c_src/crypto_drv.c there is this code:
      i =  DSA_do_verify(hmacbuf, SHA_DIGEST_LENGTH,
                         dsa_sig, dsa);
      *rbuf = (char *)(bin = driver_alloc_binary(1));
      (bin->orig_bytes)[0] = (char)(i & 0xff);

And I have no idea what happens with this afterwards.  But
I currently assume that it's not properly checking the
return value.

Note that DSA_do_verify can return 0 and -1 on errors and
1 on success.


Kurt





Reply sent to "Sergei Golovan" <sgolovan@gmail.com>:
You have taken responsibility. (Mon, 12 Jan 2009 10:57:06 GMT) Full text and rfc822 format available.

Notification sent to Kurt Roeckx <kurt@roeckx.be>:
Bug acknowledged by developer. (Mon, 12 Jan 2009 10:57:06 GMT) Full text and rfc822 format available.

Message #10 received at 511520-close@bugs.debian.org (full text, mbox):

From: "Sergei Golovan" <sgolovan@gmail.com>
To: "Kurt Roeckx" <kurt@roeckx.be>, 511520-close@bugs.debian.org
Subject: Re: Bug#511520: erlang: openssl return values.
Date: Mon, 12 Jan 2009 13:55:19 +0300
On Sun, Jan 11, 2009 at 10:41 PM, Kurt Roeckx <kurt@roeckx.be> wrote:
>
> I've been checking packages to see if they properly check the return
> value of some of the functions in openssl.  In
> lib/crypto/c_src/crypto_drv.c there is this code:
>      i =  DSA_do_verify(hmacbuf, SHA_DIGEST_LENGTH,
>                         dsa_sig, dsa);
>      *rbuf = (char *)(bin = driver_alloc_binary(1));
>      (bin->orig_bytes)[0] = (char)(i & 0xff);

This return value (i & 0xff) (which may be 1, 0 or 0xff) is sent back
to the caller where it is compared to 1.
The corresponding excerpt from lib/crypto/src/crypto.erl:

dss_verify(Dgst,Signature,Key) ->
    control(?DSS_VERIFY, [Dgst,Signature,Key]) == <<1>>.

So, this report is invalid and I'm closing it.

Cheers!
-- 
Sergei Golovan




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Feb 2009 07:27:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:55:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.