Hi Kurt, -=| Kurt Roeckx, Sun, Jan 11, 2009 at 08:36:34PM +0100 |=- > Package: libcrypt-openssl-dsa-perl > Severity: serious > Tags: security > > I've been checking packages to see if they properly check the return > value of some of the functions in openssl. > > It seems that your package calls functions like DSA_verify > and DSA_do_verify and just returns those values. Looking > at the documentation, it seems to suggest that != 0 would > mean that it was succesful.
This is my impression too. > However those functions can also return -1 on failure. This > would then mean that other applications making use of this > could wrongly check the return value. Since $dsa->verify(...) croaks in underlying OpenSSL call returns -1, it seems to me that croaking in do_verify(...) is the right thing to do. From what I understand, verify() and do_verify() only differ in what they accept as parameters, otherwise the semantic is the same -- verify a signature. Does in your opinion (1) patching do_verify() to croak if underlaying library call returns -1, (2) documenting the fact that both verify() and do_verify() may croak and (3) sending the patch upstream, would fix the bug? Thanks for your help! -- dam JabberID: d...@jabber.minus273.org
signature.asc
Description: Digital signature
