Bug#513539: marked as done (wvstreams: Does not properly check return type of X509_REQ_verify())

To: Moritz Mühlenhoff <jmm@debian.org>
Subject: Bug#513539: marked as done (wvstreams: Does not properly check return type of X509_REQ_verify())
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 04 Feb 2009 18:54:06 +0000
Message-id: <[🔎] handler.513539.D513539.123377362426770.ackdone@bugs.debian.org>
References: <E1LUmmA-0004Ce-3U@ries.debian.org> <20090129232240.GA13018@roeckx.be>

Your message dated Wed, 04 Feb 2009 18:47:06 +0000
with message-id <E1LUmmA-0004Ce-3U@ries.debian.org>
and subject line Bug#513539: fixed in wvstreams 4.4.1-0.2+lenny1
has caused the Debian Bug report #513539,
regarding wvstreams: Does not properly check return type of X509_REQ_verify()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
513539: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513539
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: wvstreams: Does not properly check return type of X509_REQ_verify()
From: Kurt Roeckx <kurt@roeckx.be>
Date: Fri, 30 Jan 2009 00:22:40 +0100
Message-id: <20090129232240.GA13018@roeckx.be>

Package: wvstreams
Severity: serious
Tags: security

Hi,

I was looking at return codes for applications making use of
openssl functions and found this in crypto/wvx509.cc:
    int verify_result = X509_REQ_verify(certreq, pk);
    if (verify_result == 0)
    {
        debug(WvLog::Warning, "Self signed request failed");
        X509_REQ_free(certreq);
        EVP_PKEY_free(pk);
        return WvString::null;
    }
    else
    {
        debug("Self Signed Certificate Request verifies OK!\n");
    }

X509_REQ_verify() is a function that returns the value of
ASN1_item_verify() which can return -1 in case the message
digest type is not known or there is an out of memory condition.

I have no idea what how this is used exactly or what the
consequences of this are.

If the attacker can not specify the certificate that is being
used there probably isn't any serious problem.


Kurt

--- End Message ---

--- Begin Message ---

To: 513539-close@bugs.debian.org
Subject: Bug#513539: fixed in wvstreams 4.4.1-0.2+lenny1
From: Moritz Mühlenhoff <jmm@debian.org>
Date: Wed, 04 Feb 2009 18:47:06 +0000
Message-id: <E1LUmmA-0004Ce-3U@ries.debian.org>

Source: wvstreams
Source-Version: 4.4.1-0.2+lenny1

We believe that the bug you reported is fixed in the latest version of
wvstreams, which is due to be installed in the Debian FTP archive:

libuniconf4.4_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/libuniconf4.4_4.4.1-0.2+lenny1_amd64.deb
libwvstreams-dev_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/libwvstreams-dev_4.4.1-0.2+lenny1_amd64.deb
libwvstreams4.4-base_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/libwvstreams4.4-base_4.4.1-0.2+lenny1_amd64.deb
libwvstreams4.4-doc_4.4.1-0.2+lenny1_all.deb
  to pool/main/w/wvstreams/libwvstreams4.4-doc_4.4.1-0.2+lenny1_all.deb
libwvstreams4.4-extras_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/libwvstreams4.4-extras_4.4.1-0.2+lenny1_amd64.deb
libwvstreams4.4-qt_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/libwvstreams4.4-qt_4.4.1-0.2+lenny1_amd64.deb
uniconf-tools_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/uniconf-tools_4.4.1-0.2+lenny1_amd64.deb
uniconfd_4.4.1-0.2+lenny1_amd64.deb
  to pool/main/w/wvstreams/uniconfd_4.4.1-0.2+lenny1_amd64.deb
wvstreams_4.4.1-0.2+lenny1.diff.gz
  to pool/main/w/wvstreams/wvstreams_4.4.1-0.2+lenny1.diff.gz
wvstreams_4.4.1-0.2+lenny1.dsc
  to pool/main/w/wvstreams/wvstreams_4.4.1-0.2+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated wvstreams package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 04 Feb 2009 19:15:42 +0100
Source: wvstreams
Binary: libwvstreams4.4-base libwvstreams4.4-extras libuniconf4.4 libwvstreams4.4-doc libwvstreams4.4-qt libwvstreams-dev uniconfd uniconf-tools
Architecture: source amd64 all
Version: 4.4.1-0.2+lenny1
Distribution: testing-proposed-updates
Urgency: medium
Maintainer: Simon Law <sfllaw@debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description: 
 libuniconf4.4 - C++ network libraries for rapid application development
 libwvstreams-dev - Development libraries and header files for libwvstreams4.4
 libwvstreams4.4-base - C++ network libraries for rapid application development
 libwvstreams4.4-doc - Documentation for WvStreams
 libwvstreams4.4-extras - C++ network libraries for rapid application development
 libwvstreams4.4-qt - WvStreams and Qt Event Integration Library
 uniconf-tools - Tools to interface with UniConf
 uniconfd   - Server that manages UniConf elements
Closes: 513539
Changes: 
 wvstreams (4.4.1-0.2+lenny1) testing-proposed-updates; urgency=medium
 .
   * Non-maintainer upload.
   * Fix return type checking of X509_REQ_verify (Closes: #513539)
Checksums-Sha1: 
 7987500b638a640da36a0936277392160fa2a984 1383 wvstreams_4.4.1-0.2+lenny1.dsc
 baceca94f0cf4bb7715340085bed84d2bff8f10a 10504 wvstreams_4.4.1-0.2+lenny1.diff.gz
 4080d3f65bf3ac3e966040c12e30cf1bbb01bb92 418372 libwvstreams4.4-base_4.4.1-0.2+lenny1_amd64.deb
 95d1c5187dbb422a848f17239214c1a01902b436 608198 libwvstreams4.4-extras_4.4.1-0.2+lenny1_amd64.deb
 6a8a09047803f0c1461d71a22f92350d5befdda3 332864 libuniconf4.4_4.4.1-0.2+lenny1_amd64.deb
 a33c9b462e437a9ec5cb21dab209d8d4072f6388 241314 libwvstreams4.4-qt_4.4.1-0.2+lenny1_amd64.deb
 f0fac7f7fc39af04e10077a42be1516d852df23e 1581064 libwvstreams-dev_4.4.1-0.2+lenny1_amd64.deb
 e12812bd3499c179d3d2ac3d6019cfb2b7c934c5 223808 uniconfd_4.4.1-0.2+lenny1_amd64.deb
 34c9be12c9d3e2424e8241489aa92a55a6a7bce6 217482 uniconf-tools_4.4.1-0.2+lenny1_amd64.deb
 c0ea44f770815903ffb0c06c68f2abf4cf86c888 4397942 libwvstreams4.4-doc_4.4.1-0.2+lenny1_all.deb
Checksums-Sha256: 
 e79a68f3ffdc2e96c98840823e1d117c1ba86ac0ddb71d8e82b5dd547cd97835 1383 wvstreams_4.4.1-0.2+lenny1.dsc
 2e81b391ce819f46403288cc0f37af35ca315e31ef3fcd7a4fcd1f6c61511cc1 10504 wvstreams_4.4.1-0.2+lenny1.diff.gz
 dca85c2d249c96ec2d4eb9231b009d9efe4618cfcbec3dddac6f803b6a2dfbdb 418372 libwvstreams4.4-base_4.4.1-0.2+lenny1_amd64.deb
 8ede00d986da8f84af345a39d5da42d170124075d64faa680b11aea8a604b87d 608198 libwvstreams4.4-extras_4.4.1-0.2+lenny1_amd64.deb
 3f22896691641a73d23baaf3982f17d460193defc7f7c0d9705986063b517775 332864 libuniconf4.4_4.4.1-0.2+lenny1_amd64.deb
 d89362b58f0f09a14599164d690b1b35942c965d2747dd1d5de318e537a52452 241314 libwvstreams4.4-qt_4.4.1-0.2+lenny1_amd64.deb
 d26d54410c0112692369454a360dee9eef041caefbd1e4f5ffb0de525505fe38 1581064 libwvstreams-dev_4.4.1-0.2+lenny1_amd64.deb
 c5c5a75c8c0dcf23282783ee9dae7045ffdc3c88b4712e7915d25828ca509251 223808 uniconfd_4.4.1-0.2+lenny1_amd64.deb
 031f823f54d757f9bddd01c0519639da8efd9c6ee98e4c40f79a32ee180641ec 217482 uniconf-tools_4.4.1-0.2+lenny1_amd64.deb
 07ad0ef5997f8d31b3fc18f6f78a1ce04dd4f29872131e0c1edfaf907d045335 4397942 libwvstreams4.4-doc_4.4.1-0.2+lenny1_all.deb
Files: 
 a79cbab3e49e6bad02faded708e0dfda 1383 libs optional wvstreams_4.4.1-0.2+lenny1.dsc
 4662c0932702c334546215dcb301d587 10504 libs optional wvstreams_4.4.1-0.2+lenny1.diff.gz
 e79b9be8f2fdac8ce08a33b338b8b01a 418372 libs optional libwvstreams4.4-base_4.4.1-0.2+lenny1_amd64.deb
 65d3ec4a2033e64a8d6a8ce2724029bb 608198 libs optional libwvstreams4.4-extras_4.4.1-0.2+lenny1_amd64.deb
 61551ddfefbf353a1c738b78759ec6f5 332864 libs optional libuniconf4.4_4.4.1-0.2+lenny1_amd64.deb
 451e3ebd1bba714282ae89192644fae5 241314 libs optional libwvstreams4.4-qt_4.4.1-0.2+lenny1_amd64.deb
 6cc0c7aa873346290fde788ebcbbba9c 1581064 libdevel optional libwvstreams-dev_4.4.1-0.2+lenny1_amd64.deb
 4eab003f8232fa9747d9bfbcd683fcde 223808 utils optional uniconfd_4.4.1-0.2+lenny1_amd64.deb
 a87b217c121229cfcdd177821b3ab2fa 217482 utils optional uniconf-tools_4.4.1-0.2+lenny1_amd64.deb
 7fe59111950c041f05f8c2ae086749f7 4397942 doc optional libwvstreams4.4-doc_4.4.1-0.2+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmJ3rgACgkQXm3vHE4uyloDWwCgkj4dEtajM0GNiB0VgbMTBP0h
B5wAnjYSr61wGsoTiiRbJeBMa/2pLo/6
=TQ7S
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: stardic_1.3.1-5_i386.changes is NEW
Next by Date: Processing of hk-classes_0.8.3-5_i386.changes
Previous by thread: stardic_1.3.1-5_i386.changes is NEW
Next by thread: Bug#513539: marked as done (wvstreams: Does not properly check return type of X509_REQ_verify())
Index(es):
- Date
- Thread