| Subject: | CVE-2009-0129: Missing error check in do_verify |
| Date: | Tue, 02 Oct 2012 09:47:06 +0200 (CEST) |
| To: | bug-Crypt-OpenSSL-DSA [...] rt.cpan.org |
| From: | Havard Eidnes <he [...] NetBSD.org> |
Hi,
it appears that your package has been listed in CVE, ref.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0129
I beleive the two attached patches fixes this particular problem,
it is taken from Debian, ref.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519
and in particular
http://launchpadlibrarian.net/22398531/libcrypt-openssl-dsa-perl_0.13-3_0.13-4.diff.gz
I hope you can find the time to apply this small fix.
Best regards,
- Havard
$NetBSD$
Croak in do_verify() if the openssl library returns an error,
similar to what is already done in verify().
--- DSA.xs.orig 2005-05-22 20:14:52.000000000 +0000
+++ DSA.xs
@@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig)
CODE:
dgst_pv = SvPV(dgst, dgst_len);
RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa);
+ if (RETVAL == -1)
+ croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL));
OUTPUT:
RETVAL
$NetBSD$
Document that the verify and do_verify methods will croak on library errors.
--- lib/Crypt/OpenSSL/DSA.pm.orig 2005-10-15 21:38:04.000000000 +0000
+++ lib/Crypt/OpenSSL/DSA.pm
@@ -124,10 +124,14 @@ Verifies that the $sig signature for $me
$dsa is the signer's public key.
+Note: it croaks if the underlying library call returns error (-1).
+
=item $valid = $dsa->do_verify( $message, $sig_obj );
Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object.
+Note: it croaks if the underlying library call returns error (-1).
+
=item $dsa->write_params( $filename );
Writes the parameters into a PEM file.