On 17.04.19 12:53, Young Xiao wrote:
EVP_VerifyFinal would return one of three values:
1 if the data is verified to be correct;
0 if it is incorrect;
-1 if there is any failure in the verification process.
The varification in unpatched version is wrong, since it ignored
the return value of -1.
The bug allows a malformed signature to be treated as a good
signature rather than as an error. This issue affects the
signature checks on DSA ans ECDSA keys used with SSL/TLS.
This issue is similar to CVE-2008-5077, CVE-2009-0021,
CVE-2009-0025, CVE-2009-0046 ~ CVE-2009-0049.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
Applied to u-boot-marvell/master.
Thanks,
Stefan
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot