Package: ntp
Severity: important
Tags: security
I was looking at return codes for applications making use of
openssl functions and found several cases of code looking
like: if (!X509_verify(cert, pkey)) {
X509_verify is a call to ASN1_item_verify which
can return both 0 and -1 for error cases. In particular
it can return -1 when the message digest type is not known,
or memory allocation failed.
As I understand things, x509 certificates are send over the
network, and this can probably be exploited.
Kurt
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
