Your message dated Mon, 02 Feb 2009 10:17:10 +0000 with message-id <e1ltvra-0006ch...@ries.debian.org> and subject line Bug#513515: fixed in newpki-server 2.0.0+rc1-11 has caused the Debian Bug report #513515, regarding newpki-server: Does not properly check the LOG_ENTRY_verify return value. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 513515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513515 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: newpki-server Severity: serious Tags: security Hi, I was looking at return codes for applications making use of openssl functions and found this: src/EntityLog.cpp: if(!LOG_ENTRY_verify(log, (EVP_PKEY *)m_CaCert.GetPublicKey())) LOG_ENTRY_verify() is a function from libnewpki that does: #define LOG_ENTRY_verify(x,pkey) \ ASN1_item_verify(LogEntryBody::get_ASN1_ITEM(), x->sig->sig_alg, x->sig->signature,(char *)x->body, pkey) ASN1_item_verify() can return -1 in case the message digest type is not known or there is an out of memory condition. I have no idea if this can be a problem and what the security implications are. If the attacker can not specify the certificate that is being used there probably isn't any serious problem. Kurt
--- End Message ---
--- Begin Message ---Source: newpki-server Source-Version: 2.0.0+rc1-11 We believe that the bug you reported is fixed in the latest version of newpki-server, which is due to be installed in the Debian FTP archive: newpki-server_2.0.0+rc1-11.diff.gz to pool/main/n/newpki-server/newpki-server_2.0.0+rc1-11.diff.gz newpki-server_2.0.0+rc1-11.dsc to pool/main/n/newpki-server/newpki-server_2.0.0+rc1-11.dsc newpki-server_2.0.0+rc1-11_amd64.deb to pool/main/n/newpki-server/newpki-server_2.0.0+rc1-11_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 513...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pierre Chifflier <pol...@debian.org> (supplier of updated newpki-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 02 Feb 2009 10:44:38 +0100 Source: newpki-server Binary: newpki-server Architecture: source amd64 Version: 2.0.0+rc1-11 Distribution: unstable Urgency: low Maintainer: Pierre Chifflier <pol...@debian.org> Changed-By: Pierre Chifflier <pol...@debian.org> Description: newpki-server - PKI based on the OpenSSL low-level API (server package) Closes: 513515 Changes: newpki-server (2.0.0+rc1-11) unstable; urgency=low . * Add patch 20_check_log_entry_verify_return to verify LOG_ENTRY_verify return (Closes: #513515) Checksums-Sha1: 0fd929b6e64fc16a56af1e15c8fb7a3c77f5ca3f 1172 newpki-server_2.0.0+rc1-11.dsc ebed1c96c53b9ab497f305317c0987635ab3c704 47835 newpki-server_2.0.0+rc1-11.diff.gz 9dcc749b4b45aef7e1e1b43f15559e6fa11b1ca2 398468 newpki-server_2.0.0+rc1-11_amd64.deb Checksums-Sha256: c5a5adb6bbd75cc4d63f6a551a211e537e4213babd116a04fd4ac88ac39b9b8c 1172 newpki-server_2.0.0+rc1-11.dsc d431a2560a1adc0f4ed0148a72a13409238976eb759354be9c989f93fb90a4e0 47835 newpki-server_2.0.0+rc1-11.diff.gz a25e492916b12fc1bce1b3cfc93e122b930b22abeef94d626be8ea66bad193d5 398468 newpki-server_2.0.0+rc1-11_amd64.deb Files: 611b516f430f36ca050c2556b9770335 1172 net optional newpki-server_2.0.0+rc1-11.dsc a8fd69e6be21af4803f9c7b36493a5a4 47835 net optional newpki-server_2.0.0+rc1-11.diff.gz ab3b55fc87f4cb2d80926ed4398685e3 398468 net optional newpki-server_2.0.0+rc1-11_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJhsVJtwVrWo1fQMsRAnN2AJ9Wcs4ZWPFcAqi6nJJFwz2av+ZSEACgng2i KEVNIYBzZiG6M4UBsXCfKdw= =PfoI -----END PGP SIGNATURE-----
--- End Message ---
