Bug#513514: marked as done (newpki-client: Does not properly check the LOG_ENTRY_verify return value.)

Mon, 02 Feb 2009 04:29:28 -0800 

Your message dated Mon, 02 Feb 2009 12:17:14 +0000
with message-id <e1ltxjm-0005c0...@ries.debian.org>
and subject line Bug#513514: fixed in newpki-client 2.0.0+rc1-4
has caused the Debian Bug report #513514,
regarding newpki-client: Does not properly check the LOG_ENTRY_verify return 
value.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
513514: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513514
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: newpki-client
Severity: serious
Tags: security

Hi,

I was looking at return codes for applications making use of
openssl functions and found this:
src/DlgShowLog.cpp:   if(!LOG_ENTRY_verify(lValue, (EVP_PKEY 
*)m_EntityCert.GetPublicKey()))

LOG_ENTRY_verify() is a function from libnewpki that does:
#define LOG_ENTRY_verify(x,pkey) \
        ASN1_item_verify(LogEntryBody::get_ASN1_ITEM(), x->sig->sig_alg, 
x->sig->signature,(char *)x->body, pkey)

ASN1_item_verify() can return -1 in case the message digest type is
not known or there is an out of memory condition.

I have no idea if this can be a problem and what the security
implications are.

If the attacker can not specify the certificate that is being
used there probably isn't any serious problem.


Kurt

--- End Message ---
--- Begin Message --- 
Source: newpki-client
Source-Version: 2.0.0+rc1-4

We believe that the bug you reported is fixed in the latest version of
newpki-client, which is due to be installed in the Debian FTP archive:

newpki-client_2.0.0+rc1-4.diff.gz
  to pool/main/n/newpki-client/newpki-client_2.0.0+rc1-4.diff.gz
newpki-client_2.0.0+rc1-4.dsc
  to pool/main/n/newpki-client/newpki-client_2.0.0+rc1-4.dsc
newpki-client_2.0.0+rc1-4_amd64.deb
  to pool/main/n/newpki-client/newpki-client_2.0.0+rc1-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pol...@debian.org> (supplier of updated newpki-client package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Feb 2009 12:59:08 +0100
Source: newpki-client
Binary: newpki-client
Architecture: source amd64
Version: 2.0.0+rc1-4
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pol...@debian.org>
Changed-By: Pierre Chifflier <pol...@debian.org>
Description: 
 newpki-client - PKI based on the OpenSSL low-level API (client package)
Closes: 513514
Changes: 
 newpki-client (2.0.0+rc1-4) unstable; urgency=low
 .
   * Check LOG_ENTRY_verify return value (Closes: #513514)
Checksums-Sha1: 
 3a54653e8aa7a5997bbb458ac4e2a7bda9b8cd1d 1134 newpki-client_2.0.0+rc1-4.dsc
 09b14537bea5eaff93cb366632cb0034ac428d9d 116404 
newpki-client_2.0.0+rc1-4.diff.gz
 80fd8e604adac335514bd88c3a95734ef7a3fbff 548546 
newpki-client_2.0.0+rc1-4_amd64.deb
Checksums-Sha256: 
 3a4d75b6e3d4b2c240d1ceffb182f05a79616f6ea674f5b1710716a48963062f 1134 
newpki-client_2.0.0+rc1-4.dsc
 32a7960e72958ce4f59a4b1aa6acb5356cb77c9c48cbd6f2a57292136714f55b 116404 
newpki-client_2.0.0+rc1-4.diff.gz
 4b1ca8df127252b4a74e713e8f3af5549689bad2e0f47103cb30b2f89a1be137 548546 
newpki-client_2.0.0+rc1-4_amd64.deb
Files: 
 779e51b5169ed43abc41ff67bdfa41bd 1134 net optional 
newpki-client_2.0.0+rc1-4.dsc
 8d58fb27f6116a64bd47dde633a45498 116404 net optional 
newpki-client_2.0.0+rc1-4.diff.gz
 94331896cb356873502a8655db3c0423 548546 net optional 
newpki-client_2.0.0+rc1-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJhuPatwVrWo1fQMsRAhmNAJ9UEwdhVFRHXw3UD7imIMlRjejGTgCghxzL
IQ7wEWKkohmFaDtm6VF4m38=
=g/G5
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to