Package: tqsllib
Severity: serious
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl. In openssl_cert.cpp
there is this piece of code:
if (!EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key)) {
tQSL_Error = TQSL_OPENSSL_ERROR;
return 1;
}
But EVP_VerifyFinal can return -1 on errors too. A good way to check
the value would be something like:
if (EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key) <= 0)
{
I have no idea if this code is being used and what the consequences
of this might be.
Kurt
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
