Thanks for your report, I forwarded it to upstream. Regards -- Gennaro Oliva
On Sun, Jan 11, 2009 at 07:59:45PM +0100, Kurt Roeckx wrote: > Package: slurm-llnl > Severity: serious > Tags: security > > Hi, > > I've been checking packages to see if they properly check the return > value of some of the functions in openssl. In > src/plugins/crypto/openssl/crypto_openssl.c there is this piece of code: > rc = EVP_VerifyFinal(&ectx, (unsigned char *) signature, > sig_size, (EVP_PKEY *) key); > if (!rc) > rc = SLURM_ERROR; > else > rc = SLURM_SUCCESS; > > But EVP_VerifyFinal() can also return -1 on errors. A good way to check > the value would be something like: > if (rc <= 0) > > I have no idea if this code is being used and what the consequences > of this might be. > > > Kurt > > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
