Bug#513540: marked as done (newpki-lib: Does not properly check the result of X509_REQ_verify())

[Debian Bug Tracking System]

Your message dated Fri, 30 Jan 2009 10:17:05 +0000
with message-id <e1lsqqr-0002li...@ries.debian.org>
and subject line Bug#513540: fixed in newpki-lib 2.0.0+rc1-4
has caused the Debian Bug report #513540,
regarding newpki-lib: Does not properly check the result of X509_REQ_verify()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
513540: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513540
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: newpki-lib
Severity: serious
Tags: security

Hi,

Hi,

I was looking at return codes for applications making use of
openssl functions and found this in src/PKI_CSR.cpp:

        if(X509_REQ_verify(m_csr, m_pubKeyCsr) < 0)
        {
                NEWPKIerr(CRYPTO_ERROR_TXT, ERROR_ABORT);
                return false;
        }
        else
        {
                return true;
        }

X509_REQ_verify() returns the value of ASN1_item_verify()
which returns 0 if the verification is 0, and -1 in some
error cases.

You probably want to use this instead:
        if(X509_REQ_verify(m_csr, m_pubKeyCsr) <= 0)


Kurt

--- End Message ---

--- Begin Message ---

Source: newpki-lib
Source-Version: 2.0.0+rc1-4

We believe that the bug you reported is fixed in the latest version of
newpki-lib, which is due to be installed in the Debian FTP archive:

libnewpki-dev_2.0.0+rc1-4_amd64.deb
  to pool/main/n/newpki-lib/libnewpki-dev_2.0.0+rc1-4_amd64.deb
libnewpki2_2.0.0+rc1-4_amd64.deb
  to pool/main/n/newpki-lib/libnewpki2_2.0.0+rc1-4_amd64.deb
newpki-lib_2.0.0+rc1-4.diff.gz
  to pool/main/n/newpki-lib/newpki-lib_2.0.0+rc1-4.diff.gz
newpki-lib_2.0.0+rc1-4.dsc
  to pool/main/n/newpki-lib/newpki-lib_2.0.0+rc1-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pol...@debian.org> (supplier of updated newpki-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 30 Jan 2009 10:44:19 +0100
Source: newpki-lib
Binary: libnewpki2 libnewpki-dev
Architecture: source amd64
Version: 2.0.0+rc1-4
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pol...@debian.org>
Changed-By: Pierre Chifflier <pol...@debian.org>
Description: 
 libnewpki-dev - Development files for newpki
 libnewpki2 - PKI based on the OpenSSL low-level API (core library)
Closes: 513540
Changes: 
 newpki-lib (2.0.0+rc1-4) unstable; urgency=low
 .
   * Properly check result of X509_REQ_verify (Closes: #513540)
   * Update my email address
   * Bump standards version
   * Fix a few lintian warnings (homepage, subst vars)
Checksums-Sha1: 
 b52e83af1c3a797f71ea16e5306a2fc22bcc534c 1077 newpki-lib_2.0.0+rc1-4.dsc
 c6885b373e87a23a86a0eadca8475e9ed7fe5040 117950 newpki-lib_2.0.0+rc1-4.diff.gz
 02360710b97aca14625c26fd693b8f47d5a1f8ed 540282 
libnewpki2_2.0.0+rc1-4_amd64.deb
 c2648463485cc05bbe787c6c2b51b165b59f93fa 688358 
libnewpki-dev_2.0.0+rc1-4_amd64.deb
Checksums-Sha256: 
 3a40fe59f1cc3b739b473436849268f44288c5ccb5ee5186401a8443c7e943d0 1077 
newpki-lib_2.0.0+rc1-4.dsc
 d9e1eb3d28f5f008a3a9202aea2a90d86ab742358512d86d4b02c6fd3cd319c5 117950 
newpki-lib_2.0.0+rc1-4.diff.gz
 00e1dc20b0f68c64d97dde4d559e6208226d7b97fd9aaa848d1466aaa73dccc3 540282 
libnewpki2_2.0.0+rc1-4_amd64.deb
 0c4ccc1719745d3ec6baa16fb79cd3c21200f88f3768b55dbbe1649530428c1d 688358 
libnewpki-dev_2.0.0+rc1-4_amd64.deb
Files: 
 3cac0634adde7593521246706a488368 1077 libs optional newpki-lib_2.0.0+rc1-4.dsc
 34f89cf09953b8f8424223da7d5b1c39 117950 libs optional 
newpki-lib_2.0.0+rc1-4.diff.gz
 c5ee28813f8933c1ac85e20c44fa7956 540282 libs optional 
libnewpki2_2.0.0+rc1-4_amd64.deb
 e8ee8550a5acc175da0f1edaa7534a32 688358 libdevel optional 
libnewpki-dev_2.0.0+rc1-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJgtJFtwVrWo1fQMsRAnYDAJ45Eh2gdvSehR6dUqmIWXVR6FlstQCg6azK
91BclxNcC6JUxY9/LP+RfYU=
=Aj2a
-----END PGP SIGNATURE-----

--- End Message ---