On Sun, Jan 11, 2009 at 08:17:24PM +0100, Kurt Roeckx wrote: > Package: m2crypto > Severity: important > Tags: security > > Hi, > > I've been checking packages to see if they properly check the return > value of some of the functions in openssl. Your package seems to > be calling a few of them: > > In SWIG/_evp.i, in verify_final() there is a call to EVP_VerifyFinal > and just return that. M2Crypto/EVP.py seems to document that > as only returning 0 for failure but it can also return -1 on failure. > > There are also calls to DSA_verify(), ECDSA_verify(), DSA_do_verify() > and ECDSA_do_verify() that seem to think that -1 means error, > and then return the return code. But 0 is also an error case. > > For all the functions mentioned, 0 and -1 are errors, 1 mean success. > > I have no idea how this is being used. I think this is being used > by other packages in Debian (dtc-xen, python-pyxmpp) that might > need to be checked instead.
There might be simular problems with calls like X509_REQ_verify and X509_verify. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
