Bug#511509: marked as done (tqsllib: Improper checking of the return value of EVP_VerifyFinal())

To: Joop Stakenborg <pa3aba@debian.org>
Subject: Bug#511509: marked as done (tqsllib: Improper checking of the return value of EVP_VerifyFinal())
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 17 Jan 2009 18:09:20 +0000
Message-id: <[🔎] handler.511509.D511509.123221560820824.ackdone@bugs.debian.org>
References: <E1LOFUn-0003fJ-SW@ries.debian.org> <[🔎] 20090111185614.GA18877@roeckx.be>

Your message dated Sat, 17 Jan 2009 18:02:09 +0000
with message-id <E1LOFUn-0003fJ-SW@ries.debian.org>
and subject line Bug#511509: fixed in tqsllib 2.0-8
has caused the Debian Bug report #511509,
regarding tqsllib: Improper checking of the return value of EVP_VerifyFinal()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
511509: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511509
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: tqsllib: Improper checking of the return value of EVP_VerifyFinal()
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 11 Jan 2009 19:56:14 +0100
Message-id: <[🔎] 20090111185614.GA18877@roeckx.be>

Package: tqsllib
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  In openssl_cert.cpp
there is this piece of code:
        if (!EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key)) {
                tQSL_Error = TQSL_OPENSSL_ERROR;
                return 1;
        }

But EVP_VerifyFinal can return -1 on errors too.  A good way to check
the value would be something like:
        if (EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key) <= 0) {

I have no idea if this code is being used and what the consequences
of this might be.


Kurt

--- End Message ---

--- Begin Message ---

To: 511509-close@bugs.debian.org
Subject: Bug#511509: fixed in tqsllib 2.0-8
From: Joop Stakenborg <pa3aba@debian.org>
Date: Sat, 17 Jan 2009 18:02:09 +0000
Message-id: <E1LOFUn-0003fJ-SW@ries.debian.org>

Source: tqsllib
Source-Version: 2.0-8

We believe that the bug you reported is fixed in the latest version of
tqsllib, which is due to be installed in the Debian FTP archive:

tqsllib-dev_2.0-8_i386.deb
  to pool/main/t/tqsllib/tqsllib-dev_2.0-8_i386.deb
tqsllib1c2a_2.0-8_i386.deb
  to pool/main/t/tqsllib/tqsllib1c2a_2.0-8_i386.deb
tqsllib_2.0-8.diff.gz
  to pool/main/t/tqsllib/tqsllib_2.0-8.diff.gz
tqsllib_2.0-8.dsc
  to pool/main/t/tqsllib/tqsllib_2.0-8.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joop Stakenborg <pa3aba@debian.org> (supplier of updated tqsllib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Jan 2009 18:53:39 +0100
Source: tqsllib
Binary: tqsllib1c2a tqsllib-dev
Architecture: source i386
Version: 2.0-8
Distribution: unstable
Urgency: low
Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Changed-By: Joop Stakenborg <pa3aba@debian.org>
Description: 
 tqsllib-dev - QSL signing library development files
 tqsllib1c2a - QSL signing routines for the Logbook of the World (LoTW)
Closes: 511509
Changes: 
 tqsllib (2.0-8) unstable; urgency=low
 .
   * Check return value of EVP_VerifyFinal correctly. Closes: #511509.
Checksums-Sha1: 
 169f0eb8b4df4116f4a1b56276182377f967afe2 1197 tqsllib_2.0-8.dsc
 9ef6b36f2c3f6608b890d97f55d1d935a8fc42c3 47798 tqsllib_2.0-8.diff.gz
 37bab52c77d3dfe45ed9e0d30bf74448a2135e7d 163516 tqsllib1c2a_2.0-8_i386.deb
 48f9f607f086525b403a2b1dfd50c09a0f01e0bc 214772 tqsllib-dev_2.0-8_i386.deb
Checksums-Sha256: 
 d1ddb32c85dcbef8af0d756c4916f23348864f80b6218e09d2fd597b486bdf87 1197 tqsllib_2.0-8.dsc
 412e9f6830305304efd533eba07f35db968f851b3ef5fd89a0ac1d24a2f64a90 47798 tqsllib_2.0-8.diff.gz
 26d3726fce0c837be448850c3b620fa40650e94e5a1cf4a64cb38448ea021e83 163516 tqsllib1c2a_2.0-8_i386.deb
 7b9e16c6d338e855fa551ee05cabfa0d7a4a5a29d890a3954518534d8e504c4e 214772 tqsllib-dev_2.0-8_i386.deb
Files: 
 7689244984e137010d6659509ca3421b 1197 libs optional tqsllib_2.0-8.dsc
 3ffd56b389d2702ad470351acab72a21 47798 libs optional tqsllib_2.0-8.diff.gz
 76b32974eb35ce47c86d1493b4041131 163516 libs optional tqsllib1c2a_2.0-8_i386.deb
 b7f0a377b8dbf49de8a239d44301fe54 214772 devel optional tqsllib-dev_2.0-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklyHCIACgkQ/CqtjGLxpX+9vwCeLofgkFwlMtiOOitYEf193IDa
KXAAnjZFSC/hh12BZm4pOTSyYsbOPkXX
=aXeP
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#511509: tqsllib: Improper checking of the return value of EVP_VerifyFinal()
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: tqsllib override disparity
Next by Date: No need to remove tqsllib and trustedqsl from testing
Previous by thread: Bug#511509: tqsllib: Improper checking of the return value of EVP_VerifyFinal()
Next by thread: ssbd 0.10-10 MIGRATED to testing
Index(es):
- Date
- Thread