Bug#513539: marked as done (wvstreams: Does not properly check return type of X509_REQ_verify())
Your message dated Sat, 07 Feb 2009 13:02:19 +0000
with message-id <E1LVmp9-0001bg-Au@ries.debian.org>
and subject line Bug#513539: fixed in wvstreams 4.4.1-1.1
has caused the Debian Bug report #513539,
regarding wvstreams: Does not properly check return type of X509_REQ_verify()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
513539: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513539
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: wvstreams: Does not properly check return type of X509_REQ_verify()
- From: Kurt Roeckx <kurt@roeckx.be>
- Date: Fri, 30 Jan 2009 00:22:40 +0100
- Message-id: <20090129232240.GA13018@roeckx.be>
Package: wvstreams
Severity: serious
Tags: security
Hi,
I was looking at return codes for applications making use of
openssl functions and found this in crypto/wvx509.cc:
int verify_result = X509_REQ_verify(certreq, pk);
if (verify_result == 0)
{
debug(WvLog::Warning, "Self signed request failed");
X509_REQ_free(certreq);
EVP_PKEY_free(pk);
return WvString::null;
}
else
{
debug("Self Signed Certificate Request verifies OK!\n");
}
X509_REQ_verify() is a function that returns the value of
ASN1_item_verify() which can return -1 in case the message
digest type is not known or there is an out of memory condition.
I have no idea what how this is used exactly or what the
consequences of this are.
If the attacker can not specify the certificate that is being
used there probably isn't any serious problem.
Kurt
--- End Message ---
--- Begin Message ---
Source: wvstreams
Source-Version: 4.4.1-1.1
We believe that the bug you reported is fixed in the latest version of
wvstreams, which is due to be installed in the Debian FTP archive:
libuniconf4.4_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/libuniconf4.4_4.4.1-1.1_amd64.deb
libwvstreams-dev_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/libwvstreams-dev_4.4.1-1.1_amd64.deb
libwvstreams4.4-base_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/libwvstreams4.4-base_4.4.1-1.1_amd64.deb
libwvstreams4.4-doc_4.4.1-1.1_all.deb
to pool/main/w/wvstreams/libwvstreams4.4-doc_4.4.1-1.1_all.deb
libwvstreams4.4-extras_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/libwvstreams4.4-extras_4.4.1-1.1_amd64.deb
libwvstreams4.4-qt_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/libwvstreams4.4-qt_4.4.1-1.1_amd64.deb
uniconf-tools_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/uniconf-tools_4.4.1-1.1_amd64.deb
uniconfd_4.4.1-1.1_amd64.deb
to pool/main/w/wvstreams/uniconfd_4.4.1-1.1_amd64.deb
wvstreams_4.4.1-1.1.diff.gz
to pool/main/w/wvstreams/wvstreams_4.4.1-1.1.diff.gz
wvstreams_4.4.1-1.1.dsc
to pool/main/w/wvstreams/wvstreams_4.4.1-1.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated wvstreams package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 07 Feb 2009 13:34:04 +0100
Source: wvstreams
Binary: libwvstreams4.4-base libwvstreams4.4-extras libuniconf4.4 libwvstreams4.4-doc libwvstreams4.4-qt libwvstreams-dev uniconfd uniconf-tools
Architecture: source amd64 all
Version: 4.4.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
libuniconf4.4 - C++ network libraries for rapid application development
libwvstreams-dev - Development libraries and header files for libwvstreams4.4
libwvstreams4.4-base - C++ network libraries for rapid application development
libwvstreams4.4-doc - Documentation for WvStreams
libwvstreams4.4-extras - C++ network libraries for rapid application development
libwvstreams4.4-qt - WvStreams and Qt Event Integration Library
uniconf-tools - Tools to interface with UniConf
uniconfd - Server that manages UniConf elements
Closes: 513539
Changes:
wvstreams (4.4.1-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix return type checking of X509_REQ_verify (Closes: #513539)
Checksums-Sha1:
205b54fb0cbde1ba4e1a9e199116ecae632d511b 1247 wvstreams_4.4.1-1.1.dsc
982027776f827429e0b1da6aa7c69ffed018feec 11290 wvstreams_4.4.1-1.1.diff.gz
5b499b9ad2cc085ab8b9cb557ae1b97ace5cf92d 418582 libwvstreams4.4-base_4.4.1-1.1_amd64.deb
78b00eb99c1ff8bbb21d0c66cdacdc81f9cfca4d 608420 libwvstreams4.4-extras_4.4.1-1.1_amd64.deb
3968fba29d84d5d8771dbb88b46f2b13462b77d6 333084 libuniconf4.4_4.4.1-1.1_amd64.deb
908490b5c78a0f5a0b2582eaaf397e5204e15245 241540 libwvstreams4.4-qt_4.4.1-1.1_amd64.deb
d1ca8076198c4242333fa74122b59ff22e60a37f 1581420 libwvstreams-dev_4.4.1-1.1_amd64.deb
7525d87dabeb50505dcf3d5d6ce46b73044cd6b8 223970 uniconfd_4.4.1-1.1_amd64.deb
0d6d2c9a93e479096eb22e63b8f3860937c007e8 217712 uniconf-tools_4.4.1-1.1_amd64.deb
1d95b3d8e5dd9918fb4997d65fa35d9609152eb1 4398570 libwvstreams4.4-doc_4.4.1-1.1_all.deb
Checksums-Sha256:
03d04327ee828b8e70f79cdc1cdc200eee8e3c4e31d3d73045ed3c9bed31677e 1247 wvstreams_4.4.1-1.1.dsc
19766926ada12896619de4986e32599c83ba166254908377c6ee2b8eaa945641 11290 wvstreams_4.4.1-1.1.diff.gz
4cc44aae2adbcf8952671ee58d5ed8f8ccb687b09d9e94845ca4892002bdc416 418582 libwvstreams4.4-base_4.4.1-1.1_amd64.deb
b5aa6719dc4a26ebb9e4944ee209e5d193c4847d9c2ba55cee317b536596714c 608420 libwvstreams4.4-extras_4.4.1-1.1_amd64.deb
eab36d3cf573139658c2d25eec61c676c4f8ab44f4fb4c8b45100accf59a7f85 333084 libuniconf4.4_4.4.1-1.1_amd64.deb
8b445c21de615f7f99e243bfb89992eec6f6eadb8ef7f0e960f75f18da916841 241540 libwvstreams4.4-qt_4.4.1-1.1_amd64.deb
137156dcbdfc581ecc89ebeac4338e0aec7ef660fab4405d9a88eec50d9198ff 1581420 libwvstreams-dev_4.4.1-1.1_amd64.deb
c22613f44bae9f6512a61a77ca1ca2bcc033d0ba2e3519dfa346ef1eb10719fe 223970 uniconfd_4.4.1-1.1_amd64.deb
70c66bfc135a75465d743d9bdb0f911e852f6321bb6e8abceed9dd19e62781dd 217712 uniconf-tools_4.4.1-1.1_amd64.deb
fbbf29b946284edd04fb175eac495e7d8bd79a9c0defdd6d7357b8b6ead63fd3 4398570 libwvstreams4.4-doc_4.4.1-1.1_all.deb
Files:
e54ef363ed36bc2555052884e2cba082 1247 libs optional wvstreams_4.4.1-1.1.dsc
7a8c9d0c2b4f68a9dbbe410a21d1708c 11290 libs optional wvstreams_4.4.1-1.1.diff.gz
14a0d4a6b57a063b46651f388f68b7e7 418582 libs optional libwvstreams4.4-base_4.4.1-1.1_amd64.deb
f3b796f9720e9ad1e6921d0f290dbe19 608420 libs optional libwvstreams4.4-extras_4.4.1-1.1_amd64.deb
9073a2d2d784c7b38fe22161ccd75d4a 333084 libs optional libuniconf4.4_4.4.1-1.1_amd64.deb
8249b32a7f0f7c00ccdd5794149dd8ee 241540 libs optional libwvstreams4.4-qt_4.4.1-1.1_amd64.deb
d7bd27f7af37634fe72666d447d7660b 1581420 libdevel optional libwvstreams-dev_4.4.1-1.1_amd64.deb
1c98c9788ff7d062f4cfc7bd3ba128a8 223970 utils optional uniconfd_4.4.1-1.1_amd64.deb
fcf652161ed4b4280384e9a04cc21f4e 217712 utils optional uniconf-tools_4.4.1-1.1_amd64.deb
d48c686c0e6094e5852e0f1be41cc0e7 4398570 doc optional libwvstreams4.4-doc_4.4.1-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmNglAACgkQXm3vHE4uylpepwCdFym2Ng4eYhlvSZPYS6KGLI35
JXoAnihk0Icbx5i6iKlwu8MTHidgCWpo
=tCXH
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: