Bug#513528: marked as done (ruby1.9: Not properly checking the return value of OCSP_basic_verify)

Debian Bug Tracking System Fri, 04 Sep 2009 12:31:48 -0700

Your message dated Fri, 04 Sep 2009 18:32:47 +0000
with message-id <e1mjdaz-0006gr...@ries.debian.org>
and subject line Bug#513528: fixed in ruby1.8 1.8.7.72-3lenny1
has caused the Debian Bug report #513528,
regarding ruby1.9: Not properly checking the return value of OCSP_basic_verify
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
513528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ruby1.9
Severity: serious
Tags: security

Hi,

I was looking at return codes for applications making use of
openssl functions and found this in ext/openssl/ossl_ocsp.c:

    result = OCSP_basic_verify(bs, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));

    return result ? Qtrue : Qfalse;

OCSP_basic_verify() can return both 0 and -1 in error cases,
so this function can incorrectly return information to the
caller.

I have no idea if what this code is used for and what the consequences
of this might be.


Kurt

--- End Message ---

--- Begin Message ---

Source: ruby1.8
Source-Version: 1.8.7.72-3lenny1

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.7.72-3lenny1_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.7.72-3lenny1_all.deb
libdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
libgdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
libopenssl-ruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.7.72-3lenny1_i386.deb
libreadline-ruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.7.72-3lenny1_i386.deb
libruby1.8-dbg_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.7.72-3lenny1_i386.deb
libruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.7.72-3lenny1_i386.deb
libtcltk-ruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.7.72-3lenny1_i386.deb
rdoc1.8_1.8.7.72-3lenny1_all.deb
  to pool/main/r/ruby1.8/rdoc1.8_1.8.7.72-3lenny1_all.deb
ri1.8_1.8.7.72-3lenny1_all.deb
  to pool/main/r/ruby1.8/ri1.8_1.8.7.72-3lenny1_all.deb
ruby1.8-dev_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8-dev_1.8.7.72-3lenny1_i386.deb
ruby1.8-elisp_1.8.7.72-3lenny1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.7.72-3lenny1_all.deb
ruby1.8-examples_1.8.7.72-3lenny1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-examples_1.8.7.72-3lenny1_all.deb
ruby1.8_1.8.7.72-3lenny1.diff.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-3lenny1.diff.gz
ruby1.8_1.8.7.72-3lenny1.dsc
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-3lenny1.dsc
ruby1.8_1.8.7.72-3lenny1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-3lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
akira yamada <ak...@debian.org> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 Jul 2009 17:17:38 +0900
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libdbm-ruby1.8 
libgdbm-ruby1.8 libreadline-ruby1.8 libtcltk-ruby1.8 libopenssl-ruby1.8 
ruby1.8-examples ruby1.8-elisp ri1.8 rdoc1.8 irb1.8
Architecture: source all i386
Version: 1.8.7.72-3lenny1
Distribution: stable-security
Urgency: high
Maintainer: akira yamada <ak...@debian.org>
Changed-By: akira yamada <ak...@debian.org>
Description: 
 irb1.8     - Interactive Ruby (for Ruby 1.8)
 libdbm-ruby1.8 - DBM interface for Ruby 1.8
 libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
 libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
 libreadline-ruby1.8 - Readline interface for Ruby 1.8
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging symbols for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 rdoc1.8    - Generate documentation from Ruby source files (for Ruby 1.8)
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-elisp - ruby-mode for Emacsen
 ruby1.8-examples - Examples for Ruby 1.8
Closes: 513528 532689
Changes: 
 ruby1.8 (1.8.7.72-3lenny1) stable-security; urgency=high
 .
   * added patch: 932_CVE-2009-1904 (closes: #532689)
     It fixes BigDecimal DoS vulnerability (CVE-2009-1904).  (backported from
     1.8.7-p172 and 1.8.7-p174)
   * Add upstream patch to properly check return values of the
     OCSP_basic_verify function (CVE-2009-0642; Closes: #513528)
Checksums-Sha1: 
 019896fc78564c7ca9e7fc26635657573ca7dbae 1641 ruby1.8_1.8.7.72-3lenny1.dsc
 fe1c5ffad9924076f36768890255f022c51f9a4e 4805594 ruby1.8_1.8.7.72.orig.tar.gz
 93dfb3ef2703ceb2d209c06ce71c99d1abd2b873 50437 ruby1.8_1.8.7.72-3lenny1.diff.gz
 d2eef4cd8c6e33df4a8e5e85e4c39f0ec5f8493a 308396 
ruby1.8-examples_1.8.7.72-3lenny1_all.deb
 dabfde68046edd664760ec79e4af21787e154956 278076 
ruby1.8-elisp_1.8.7.72-3lenny1_all.deb
 58e08a9062b7908c9157402f505d34eaad5db3e8 1410008 ri1.8_1.8.7.72-3lenny1_all.deb
 267ee10293a73405547768781fed964abfebe58c 378512 
rdoc1.8_1.8.7.72-3lenny1_all.deb
 9ed5bb7367f3637e6c83d9ecd43e02203c19959a 304454 irb1.8_1.8.7.72-3lenny1_all.deb
 77b980aaf7dde6eee79e7511990e699ddaf9bcfc 283524 
ruby1.8_1.8.7.72-3lenny1_i386.deb
 646fd704be4d68c2d84d59d55aee92b53ea53f2d 1674552 
libruby1.8_1.8.7.72-3lenny1_i386.deb
 b048c66e81aa924f195ee04efcc0ed9484410fef 1448898 
libruby1.8-dbg_1.8.7.72-3lenny1_i386.deb
 942158602c531647ccdf3c0a2839b6738b28e59d 824762 
ruby1.8-dev_1.8.7.72-3lenny1_i386.deb
 4fa0b4e821591fd61f56fce1c3ad96654cd2edca 264712 
libdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
 a8d83283f83a44311ad6662b77c0f16613d23ea8 263564 
libgdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
 16e221e8712ede5524352214ab94b7080d639ac8 263846 
libreadline-ruby1.8_1.8.7.72-3lenny1_i386.deb
 fe5cb22c08e0a72e3c183d996462e5aff10d07e1 1996318 
libtcltk-ruby1.8_1.8.7.72-3lenny1_i386.deb
 fd3db92ad8b44a99ac9fd0c950489f4296eec3b2 378588 
libopenssl-ruby1.8_1.8.7.72-3lenny1_i386.deb
Checksums-Sha256: 
 48e0ede7cf79addfc180d9f064c31b32a7d4fd0ddc36821473b85d613a5bcc82 1641 
ruby1.8_1.8.7.72-3lenny1.dsc
 e15ca005076f5d6f91fc856fdfbd071698a4cadac3c6e25855899dba1f6fc5ef 4805594 
ruby1.8_1.8.7.72.orig.tar.gz
 5d31dad9baf1b30c9538e7d96228e396249d3b852708c7092f407ab47af18358 50437 
ruby1.8_1.8.7.72-3lenny1.diff.gz
 2e465d55db66904639d646895d119bae8f9cabd355f751ae07fe0dc1d003ad28 308396 
ruby1.8-examples_1.8.7.72-3lenny1_all.deb
 beb7731a816d690f4d66b5c72da9f5e6688f313daee35a9f72f75b8e82692918 278076 
ruby1.8-elisp_1.8.7.72-3lenny1_all.deb
 7ab498541decb7c8fbd2ebbae989858f0c4c594a686c0add94fee739e8221cb7 1410008 
ri1.8_1.8.7.72-3lenny1_all.deb
 f635a0d7b32360e6f0ee47f9e1ddd97ba20fde9f92eeef0a2087db03b279f492 378512 
rdoc1.8_1.8.7.72-3lenny1_all.deb
 12ec465866683e14017b4f56a61d39bbe7c6efd9d3d383439285afa47c8dba6d 304454 
irb1.8_1.8.7.72-3lenny1_all.deb
 81c84515aeb36ca11b1e81e5eb0802e1cbe8f70ba70e3c65ebaeb691dccc397e 283524 
ruby1.8_1.8.7.72-3lenny1_i386.deb
 f202ba75436bc9c7e90e3c18c0e8d73a6303d25acd18aa72868577acd3e9a38c 1674552 
libruby1.8_1.8.7.72-3lenny1_i386.deb
 5edb6db425fa49b598f243ee3f45e7dc63929a3c05676f7ec7150f53d9357a7d 1448898 
libruby1.8-dbg_1.8.7.72-3lenny1_i386.deb
 7ca238218723f81b7ff605ee8bf5f189adc61dc1edbeb78af683a9c009bff204 824762 
ruby1.8-dev_1.8.7.72-3lenny1_i386.deb
 26c2cb1930bf1d6811c4be89b308285a3c61effa1b80617220f377e6a1558a80 264712 
libdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
 2d641c255625a077918244e25bb1f7dba7a030a19b1574d6d440f7f817ef67c4 263564 
libgdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
 41a2c75f281059886493a6a7a5ce7d2c49a03f754e69458447ab9729413fb493 263846 
libreadline-ruby1.8_1.8.7.72-3lenny1_i386.deb
 3ebe8ba92536c94ac1303f0e237b0b24fae92c0ddaa49fc9c516f209af2926e8 1996318 
libtcltk-ruby1.8_1.8.7.72-3lenny1_i386.deb
 f72d8bc8bbe80c46d5169d3f768b89763a5e86041a6252e0cd0a060a6a7cc34e 378588 
libopenssl-ruby1.8_1.8.7.72-3lenny1_i386.deb
Files: 
 ee8fab4977d9a8ceeb4d54d8f801983a 1641 interpreters optional 
ruby1.8_1.8.7.72-3lenny1.dsc
 5e5b7189674b3a7f69401284f6a7a36d 4805594 interpreters optional 
ruby1.8_1.8.7.72.orig.tar.gz
 b176db79acaea95b6263c3971e2bda49 50437 interpreters optional 
ruby1.8_1.8.7.72-3lenny1.diff.gz
 3c1217cfaaebd3d72bb696c3d309a6fb 308396 interpreters optional 
ruby1.8-examples_1.8.7.72-3lenny1_all.deb
 eaed4e326f77664ecd3824c0e749ee89 278076 interpreters optional 
ruby1.8-elisp_1.8.7.72-3lenny1_all.deb
 e6fd2021bd625212a9eb86a3853e9f44 1410008 interpreters optional 
ri1.8_1.8.7.72-3lenny1_all.deb
 22c353a878ab290a440b2ad3527bddf8 378512 doc optional 
rdoc1.8_1.8.7.72-3lenny1_all.deb
 ea1fb3987035a3cf40739a44ca6e3133 304454 interpreters optional 
irb1.8_1.8.7.72-3lenny1_all.deb
 d7086ed4eb7e99ec76df318d1e8a421c 283524 interpreters optional 
ruby1.8_1.8.7.72-3lenny1_i386.deb
 b916f4042c77ce78132458d65f94d0c0 1674552 libs optional 
libruby1.8_1.8.7.72-3lenny1_i386.deb
 d01cda762af82e639be488de872738ab 1448898 libdevel extra 
libruby1.8-dbg_1.8.7.72-3lenny1_i386.deb
 a4efdf9dcf2d2187e31a46a05060dfa9 824762 devel optional 
ruby1.8-dev_1.8.7.72-3lenny1_i386.deb
 df9ea6fdead207738cf353d93244c308 264712 interpreters optional 
libdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
 e3f86af4c0db7384a5ce3349598557fb 263564 interpreters optional 
libgdbm-ruby1.8_1.8.7.72-3lenny1_i386.deb
 b2978963f37844f3a6044ffc25dd1f9c 263846 interpreters optional 
libreadline-ruby1.8_1.8.7.72-3lenny1_i386.deb
 b4ce32eb0c4723fa0c7e1f3e6e9ade0e 1996318 interpreters optional 
libtcltk-ruby1.8_1.8.7.72-3lenny1_i386.deb
 68d3bcf256702167fca19d689ba10e0c 378588 interpreters optional 
libopenssl-ruby1.8_1.8.7.72-3lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKgpevXzkxpuIT8aARApR/AJ4n2WJyjZ9GGmNtj2MbCHA4unud0ACfbI11
upKN5RI5rITmWeDk1yBr+I4=
=6wGa
-----END PGP SIGNATURE-----

--- End Message ---

Bug#513528: marked as done (ruby1.9: Not properly checking the return value of OCSP_basic_verify)

Reply via email to