Hello, Moritz Muehlenhoff wrote:
> Package: lasso > Severity: grave > Tags: security > Justification: user security hole > > Please see the following references for lasso and the recent > OpenSSL issue: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0050 > http://www.ocert.org/advisories/ocert-2008-016.html I uploaded 2.2.1-2 to unstable; I also applied the fix to 0.6.5 (etch), but I don't have ressources to build it, it is available here: http://people.debian.org/~fpeters/lasso_0.6.5-3.etch.1.diff.gz Interdiff is attached. Thanks, Frederic
diff -u lasso-0.6.5/debian/changelog lasso-0.6.5/debian/changelog --- lasso-0.6.5/debian/changelog +++ lasso-0.6.5/debian/changelog @@ -1,3 +1,10 @@ +lasso (0.6.5-3.etch.1) stable-security; urgency=high + + * Backported security fixes from 2.2.2 + * Correctly check for signature validity (CVE-2009-0050) (Closes: #511262) + + -- Frederic Peters <[email protected]> Fri, 09 Jan 2009 11:52:20 +0100 + lasso (0.6.5-3) unstable; urgency=low * Converted to new Python policy (merged from unreported Ubuntu patch) only in patch2: unchanged: --- lasso-0.6.5.orig/lasso/xml/tools.c +++ lasso-0.6.5/lasso/xml/tools.c @@ -501,7 +501,7 @@ status = DSA_verify(NID_sha1, (unsigned char*)digest, 20, signature, key_size, dsa); } - if (status == 0) { + if (status != 1) { ret = LASSO_DS_ERROR_INVALID_SIGNATURE; }
