Package: ruby1.9
Severity: serious
Tags: security
Hi,
I was looking at return codes for applications making use of
openssl functions and found this in ext/openssl/ossl_ocsp.c:
result = OCSP_basic_verify(bs, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
return result ? Qtrue : Qfalse;
OCSP_basic_verify() can return both 0 and -1 in error cases,
so this function can incorrectly return information to the
caller.
I have no idea if what this code is used for and what the consequences
of this might be.
Kurt
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
