Bug#513528: marked as done (ruby1.9: Not properly checking the return value of OCSP_basic_verify)

Tue, 07 Apr 2009 08:43:18 -0700 

Your message dated Tue, 07 Apr 2009 15:34:30 +0000
with message-id <e1lrdjm-0001p0...@ries.debian.org>
and subject line Bug#513528: fixed in ruby1.9 1.9.0.2-9.1
has caused the Debian Bug report #513528,
regarding ruby1.9: Not properly checking the return value of OCSP_basic_verify
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
513528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ruby1.9
Severity: serious
Tags: security

Hi,

I was looking at return codes for applications making use of
openssl functions and found this in ext/openssl/ossl_ocsp.c:

    result = OCSP_basic_verify(bs, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));

    return result ? Qtrue : Qfalse;

OCSP_basic_verify() can return both 0 and -1 in error cases,
so this function can incorrectly return information to the
caller.

I have no idea if what this code is used for and what the consequences
of this might be.


Kurt

--- End Message ---
--- Begin Message --- 
Source: ruby1.9
Source-Version: 1.9.0.2-9.1

We believe that the bug you reported is fixed in the latest version of
ruby1.9, which is due to be installed in the Debian FTP archive:

irb1.9_1.9.0.2-9.1_all.deb
  to pool/main/r/ruby1.9/irb1.9_1.9.0.2-9.1_all.deb
libdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
libgdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libgdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
libopenssl-ruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libopenssl-ruby1.9_1.9.0.2-9.1_amd64.deb
libreadline-ruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libreadline-ruby1.9_1.9.0.2-9.1_amd64.deb
libruby1.9-dbg_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libruby1.9-dbg_1.9.0.2-9.1_amd64.deb
libruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libruby1.9_1.9.0.2-9.1_amd64.deb
libtcltk-ruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/libtcltk-ruby1.9_1.9.0.2-9.1_amd64.deb
rdoc1.9_1.9.0.2-9.1_all.deb
  to pool/main/r/ruby1.9/rdoc1.9_1.9.0.2-9.1_all.deb
ri1.9_1.9.0.2-9.1_all.deb
  to pool/main/r/ruby1.9/ri1.9_1.9.0.2-9.1_all.deb
ruby1.9-dev_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/ruby1.9-dev_1.9.0.2-9.1_amd64.deb
ruby1.9-elisp_1.9.0.2-9.1_all.deb
  to pool/main/r/ruby1.9/ruby1.9-elisp_1.9.0.2-9.1_all.deb
ruby1.9-examples_1.9.0.2-9.1_all.deb
  to pool/main/r/ruby1.9/ruby1.9-examples_1.9.0.2-9.1_all.deb
ruby1.9_1.9.0.2-9.1.diff.gz
  to pool/main/r/ruby1.9/ruby1.9_1.9.0.2-9.1.diff.gz
ruby1.9_1.9.0.2-9.1.dsc
  to pool/main/r/ruby1.9/ruby1.9_1.9.0.2-9.1.dsc
ruby1.9_1.9.0.2-9.1_amd64.deb
  to pool/main/r/ruby1.9/ruby1.9_1.9.0.2-9.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated ruby1.9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Apr 2009 18:43:32 +0200
Source: ruby1.9
Binary: ruby1.9 libruby1.9 libruby1.9-dbg ruby1.9-dev libdbm-ruby1.9 
libgdbm-ruby1.9 libreadline-ruby1.9 libtcltk-ruby1.9 libopenssl-ruby1.9 
ruby1.9-examples ruby1.9-elisp ri1.9 rdoc1.9 irb1.9
Architecture: source all amd64
Version: 1.9.0.2-9.1
Distribution: unstable
Urgency: high
Maintainer: akira yamada <ak...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 irb1.9     - Interactive Ruby (for Ruby 1.9)
 libdbm-ruby1.9 - DBM interface for Ruby 1.9
 libgdbm-ruby1.9 - GDBM interface for Ruby 1.9
 libopenssl-ruby1.9 - OpenSSL interface for Ruby 1.9
 libreadline-ruby1.9 - Readline interface for Ruby 1.9
 libruby1.9 - Libraries necessary to run Ruby 1.9
 libruby1.9-dbg - Debugging symbols for Ruby 1.9
 libtcltk-ruby1.9 - Tcl/Tk interface for Ruby 1.9
 rdoc1.9    - Generate documentation from Ruby source files (for Ruby 1.9)
 ri1.9      - Ruby Interactive reference (for Ruby 1.9)
 ruby1.9    - Interpreter of object-oriented scripting language Ruby 1.9
 ruby1.9-dev - Header files for compiling extension modules for the Ruby 1.9
 ruby1.9-elisp - ruby-mode for Emacsen
 ruby1.9-examples - Examples for Ruby 1.9
Closes: 513528
Changes: 
 ruby1.9 (1.9.0.2-9.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add upstream patch to properly check return values of the
     OCSP_basic_verify function (CVE-2009-0642; Closes: #513528)
Checksums-Sha1: 
 cb1458b0b1f65bb54bede16fe726c466b401dd0f 1659 ruby1.9_1.9.0.2-9.1.dsc
 1d755c6a24a48cbc9503f7ce0b61e96f6d50347d 51422 ruby1.9_1.9.0.2-9.1.diff.gz
 13fdc497c7b636c5aca0589666f17476fba1e461 482604 
ruby1.9-examples_1.9.0.2-9.1_all.deb
 4125897004597187e3c869c843bc5b39df79753b 448332 
ruby1.9-elisp_1.9.0.2-9.1_all.deb
 158dc363f64d5de690cd59f8c9496fe90120aa12 1433074 ri1.9_1.9.0.2-9.1_all.deb
 cc6ea81b05abb9abad666f5049dc47bbb381b9ff 536538 rdoc1.9_1.9.0.2-9.1_all.deb
 202847b61144d3cb0922c7bed0fbb103e7220c50 474040 irb1.9_1.9.0.2-9.1_all.deb
 f8d7f572bcdd7235673c708ba138dd3c307eb787 453156 ruby1.9_1.9.0.2-9.1_amd64.deb
 222498875f83ba2e200652441051373eeb4c5b10 2698066 
libruby1.9_1.9.0.2-9.1_amd64.deb
 72b2003927767c197201070800554fb3eeb5c8a3 2525162 
libruby1.9-dbg_1.9.0.2-9.1_amd64.deb
 1d16bb33a60b0428e2d18dd1eae308d9c916d06b 1362138 
ruby1.9-dev_1.9.0.2-9.1_amd64.deb
 6fccbbed1896eeee7dbebc650ec35f95e53701a4 436840 
libdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
 f945caf0ef2426ddfb1eecf737c38a05056ebebe 435914 
libgdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
 59d6e9c1ea8084751d4479e1f4d200f6685c17e3 435860 
libreadline-ruby1.9_1.9.0.2-9.1_amd64.deb
 8c17a70a428f9cb42919f94ceb9287173544d94f 2188752 
libtcltk-ruby1.9_1.9.0.2-9.1_amd64.deb
 75517c7f577ac10dbded38a9911135e37535e923 558954 
libopenssl-ruby1.9_1.9.0.2-9.1_amd64.deb
Checksums-Sha256: 
 455e83d52f928646ac36ccf43d3c71882c192ecc6f6bd94418f87d85d8cae245 1659 
ruby1.9_1.9.0.2-9.1.dsc
 bd6187327532bfa9232d12d7098901ee20da7dd5c19023996666146d3389f10c 51422 
ruby1.9_1.9.0.2-9.1.diff.gz
 c51d5be61aa23e406cca94bdbfe570ea50b4f5382f13e16863d88efbb3529d58 482604 
ruby1.9-examples_1.9.0.2-9.1_all.deb
 6a4ede704f155c70d5d9683fcbab7510f6c1178a3abb58729d67990963f6e337 448332 
ruby1.9-elisp_1.9.0.2-9.1_all.deb
 555a6dc9a03a704dc74bc1deebe3ad3e35c8024e0721296dbe16c83ee9e5e9cc 1433074 
ri1.9_1.9.0.2-9.1_all.deb
 a312330d0c01dbb3d1ecbdf11fab41934b044b9e0471e3f0e6efdcc02397dfab 536538 
rdoc1.9_1.9.0.2-9.1_all.deb
 83ad11f43f2a91b5451475b66b8b6ce074678d9fb00bb06236aee559e56c09c8 474040 
irb1.9_1.9.0.2-9.1_all.deb
 cf6186e845d69e9bf8cc3f4e8117a867cf7cd0d79ee8f8d06bfeb81414083a7d 453156 
ruby1.9_1.9.0.2-9.1_amd64.deb
 a43d8808257a4033721a5b15a4c5afaa65a7cf5d89da29950f0f4925df979adc 2698066 
libruby1.9_1.9.0.2-9.1_amd64.deb
 abe47dbcc3cb9b689eb20101c636ba13c229763c65ce34709255fca8c5f13d7a 2525162 
libruby1.9-dbg_1.9.0.2-9.1_amd64.deb
 02d0053617001edfbbde0a33333324e879d61dd9afd9082f0848509e3a14fd2d 1362138 
ruby1.9-dev_1.9.0.2-9.1_amd64.deb
 2f12b2561c2ee38ec1fdf377514c3f28f5d6e121e323039b12576cb27948819c 436840 
libdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
 154876fddcfb4cbbb40cd7170f250b01f5986fe826a960942275a2725e053e5b 435914 
libgdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
 5fa8bfe55db8eca38076914d33c253cf13c8c34c8baf88e245945e85edb6bcb6 435860 
libreadline-ruby1.9_1.9.0.2-9.1_amd64.deb
 3ab2d8ac1d140e30a865761e765dadbe95ac9b70bf59ba42f3edc439473bab3f 2188752 
libtcltk-ruby1.9_1.9.0.2-9.1_amd64.deb
 c10afc5cffc9aa21bde8210530f7d077467a15405f648cc27b644b085ce02c2c 558954 
libopenssl-ruby1.9_1.9.0.2-9.1_amd64.deb
Files: 
 6a2c32f2e0b35b0b9a504aa5e0e094a0 1659 interpreters optional 
ruby1.9_1.9.0.2-9.1.dsc
 c9c771faa58ad5449ec9a553231f1804 51422 interpreters optional 
ruby1.9_1.9.0.2-9.1.diff.gz
 88dffc8ba82abde92ef5a9e0d45339c7 482604 interpreters optional 
ruby1.9-examples_1.9.0.2-9.1_all.deb
 e4ec9dca680d7186f280c2bace940efc 448332 interpreters optional 
ruby1.9-elisp_1.9.0.2-9.1_all.deb
 a9025466bc0d1a2b3290281ae632b7e1 1433074 interpreters optional 
ri1.9_1.9.0.2-9.1_all.deb
 ed6680363e1288fa4995accaea775492 536538 doc optional 
rdoc1.9_1.9.0.2-9.1_all.deb
 82c1d3c26464993aea93395f59e52b57 474040 interpreters optional 
irb1.9_1.9.0.2-9.1_all.deb
 80926214aa157e57e20c826ee3ce2a84 453156 interpreters optional 
ruby1.9_1.9.0.2-9.1_amd64.deb
 c670983c9e921bf827da3287fb7bc0e2 2698066 libs optional 
libruby1.9_1.9.0.2-9.1_amd64.deb
 cd428d1094479fb210212c6e6fa07ba1 2525162 libdevel extra 
libruby1.9-dbg_1.9.0.2-9.1_amd64.deb
 639235ceba0b740b2d938f44c8a9aa26 1362138 devel optional 
ruby1.9-dev_1.9.0.2-9.1_amd64.deb
 7b801e8155ba5904442a28745804265f 436840 interpreters optional 
libdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
 c6a3fc844f09660fa83d44b169fb75cd 435914 interpreters optional 
libgdbm-ruby1.9_1.9.0.2-9.1_amd64.deb
 d6e1b73a9d483e06ed77c819c9b69ba4 435860 interpreters optional 
libreadline-ruby1.9_1.9.0.2-9.1_amd64.deb
 5186b0c16d9b20912229e66f2254ced0 2188752 interpreters optional 
libtcltk-ruby1.9_1.9.0.2-9.1_amd64.deb
 512290635afe377ba5481e74c5c7f4d5 558954 interpreters optional 
libopenssl-ruby1.9_1.9.0.2-9.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknbWVYACgkQHYflSXNkfP9wIQCfUtEJoYJqRSUOFTaCtV7BagTB
Sc4An1g+aDiYt8F4XW80MmKNtbjDDjwD
=v8pP
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to