hardaker pushed to perl-Crypt-OpenSSL-DSA (epel7). "update to fix CVE-2009-0129"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Apr 28 18:05:07 UTC 2015 

>From 83013a6cc3053f8f35858a8a5784a33761d96c1b Mon Sep 17 00:00:00 2001
From: Wes Hardaker <hardaker at fedoraproject.org>
Date: Wed, 18 Feb 2009 21:18:32 +0000
Subject: update to fix CVE-2009-0129


diff --git a/Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch b/Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
new file mode 100644
index 0000000..3ae7057
--- /dev/null
+++ b/Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
@@ -0,0 +1,35 @@
+# Author: Damyan Ivanov <dmn at debian.org>
+# Description: make do_verify() croak on error in the same way
+#              verify() already does
+#              Document that verify()/do_verify() croak on errors
+# Debian-Bug: http://bugs.debian.org/511519
+--- a/DSA.xs
++++ b/DSA.xs
+@@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig)
+     CODE:
+         dgst_pv = SvPV(dgst, dgst_len);
+         RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa);
++        if (RETVAL == -1)
++          croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL));
+     OUTPUT:
+         RETVAL
+ 
+--- a/lib/Crypt/OpenSSL/DSA.pm
++++ b/lib/Crypt/OpenSSL/DSA.pm
+@@ -124,10 +124,14 @@ Verifies that the $sig signature for $me
+ 
+ $dsa is the signer's public key.
+ 
++Note it croaks if the underlying library call returns error (-1).
++
+ =item $valid = $dsa->do_verify( $message, $sig_obj );
+ 
+ Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object.
+ 
++Note it croaks if the underlying library call returns error (-1).
++
+ =item $dsa->write_params( $filename );
+ 
+ Writes the parameters into a PEM file.
+
+ 	  	 
diff --git a/perl-Crypt-OpenSSL-DSA.spec b/perl-Crypt-OpenSSL-DSA.spec
index bfec732..2e1a9f3 100644
--- a/perl-Crypt-OpenSSL-DSA.spec
+++ b/perl-Crypt-OpenSSL-DSA.spec
@@ -1,6 +1,6 @@
 Name:           perl-Crypt-OpenSSL-DSA
 Version:        0.13
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Perl interface to OpenSSL for DSA
 License:        GPL+ or Artistic 
 Group:          Development/Libraries
@@ -12,12 +12,16 @@ BuildRequires:  perl(Digest::SHA1) perl(File::Temp)
 
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
+Patch1: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
+
 %description
 Crypt::OpenSSL::DSA - Digital Signature Algorithm using OpenSSL
 
 %prep
 %setup -q -n Crypt-OpenSSL-DSA-%{version}
 
+%patch1 -p1
+
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
 make %{?_smp_mflags}
@@ -47,6 +51,9 @@ rm -rf %{buildroot}
 %{_mandir}/man3/*
 
 %changelog
+* Wed Feb 18 2009 Wes Hardaker <wjhns174 at hardakers.net> - 0.13-9
+- Fix CVE-2009-0129 and have do_verify croak on fatal error
+
 * Sat Jan 17 2009 Tomas Mraz <tmraz at redhat.com> - 0.13-8
 - rebuild with new openssl
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/perl-Crypt-OpenSSL-DSA.git/commit/?h=epel7&id=83013a6cc3053f8f35858a8a5784a33761d96c1b

More information about the scm-commits mailing list