Bug#511519: libcrypt-openssl-dsa-perl: return values of openssl functions.
Damyan Ivanov
dmn at debian.org
Wed Jan 28 21:52:18 UTC 2009
Hi Kurt,
-=| Kurt Roeckx, Sun, Jan 11, 2009 at 08:36:34PM +0100 |=-
> Package: libcrypt-openssl-dsa-perl
> Severity: serious
> Tags: security
>
> I've been checking packages to see if they properly check the return
> value of some of the functions in openssl.
>
> It seems that your package calls functions like DSA_verify
> and DSA_do_verify and just returns those values. Looking
> at the documentation, it seems to suggest that != 0 would
> mean that it was succesful.
This is my impression too.
> However those functions can also return -1 on failure. This
> would then mean that other applications making use of this
> could wrongly check the return value.
Since $dsa->verify(...) croaks in underlying OpenSSL call returns -1,
it seems to me that croaking in do_verify(...) is the right thing to
do.
From what I understand, verify() and do_verify() only differ in what
they accept as parameters, otherwise the semantic is the same --
verify a signature.
Does in your opinion (1) patching do_verify() to croak if underlaying
library call returns -1, (2) documenting the fact that both verify()
and do_verify() may croak and (3) sending the patch upstream, would
fix the bug?
Thanks for your help!
--
dam JabberID: dam at jabber.minus273.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20090128/3e8d6eb6/attachment.pgp
More information about the pkg-perl-maintainers
mailing list