hardaker pushed to perl-Crypt-OpenSSL-DSA (epel7). "update to fix CVE-2009-0129"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 28 18:05:07 UTC 2015
>From 83013a6cc3053f8f35858a8a5784a33761d96c1b Mon Sep 17 00:00:00 2001
From: Wes Hardaker <hardaker at fedoraproject.org>
Date: Wed, 18 Feb 2009 21:18:32 +0000
Subject: update to fix CVE-2009-0129
diff --git a/Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch b/Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
new file mode 100644
index 0000000..3ae7057
--- /dev/null
+++ b/Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
@@ -0,0 +1,35 @@
+# Author: Damyan Ivanov <dmn at debian.org>
+# Description: make do_verify() croak on error in the same way
+# verify() already does
+# Document that verify()/do_verify() croak on errors
+# Debian-Bug: http://bugs.debian.org/511519
+--- a/DSA.xs
++++ b/DSA.xs
+@@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig)
+ CODE:
+ dgst_pv = SvPV(dgst, dgst_len);
+ RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa);
++ if (RETVAL == -1)
++ croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL));
+ OUTPUT:
+ RETVAL
+
+--- a/lib/Crypt/OpenSSL/DSA.pm
++++ b/lib/Crypt/OpenSSL/DSA.pm
+@@ -124,10 +124,14 @@ Verifies that the $sig signature for $me
+
+ $dsa is the signer's public key.
+
++Note it croaks if the underlying library call returns error (-1).
++
+ =item $valid = $dsa->do_verify( $message, $sig_obj );
+
+ Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object.
+
++Note it croaks if the underlying library call returns error (-1).
++
+ =item $dsa->write_params( $filename );
+
+ Writes the parameters into a PEM file.
+
+
diff --git a/perl-Crypt-OpenSSL-DSA.spec b/perl-Crypt-OpenSSL-DSA.spec
index bfec732..2e1a9f3 100644
--- a/perl-Crypt-OpenSSL-DSA.spec
+++ b/perl-Crypt-OpenSSL-DSA.spec
@@ -1,6 +1,6 @@
Name: perl-Crypt-OpenSSL-DSA
Version: 0.13
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: Perl interface to OpenSSL for DSA
License: GPL+ or Artistic
Group: Development/Libraries
@@ -12,12 +12,16 @@ BuildRequires: perl(Digest::SHA1) perl(File::Temp)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Patch1: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
+
%description
Crypt::OpenSSL::DSA - Digital Signature Algorithm using OpenSSL
%prep
%setup -q -n Crypt-OpenSSL-DSA-%{version}
+%patch1 -p1
+
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
@@ -47,6 +51,9 @@ rm -rf %{buildroot}
%{_mandir}/man3/*
%changelog
+* Wed Feb 18 2009 Wes Hardaker <wjhns174 at hardakers.net> - 0.13-9
+- Fix CVE-2009-0129 and have do_verify croak on fatal error
+
* Sat Jan 17 2009 Tomas Mraz <tmraz at redhat.com> - 0.13-8
- rebuild with new openssl
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/perl-Crypt-OpenSSL-DSA.git/commit/?h=epel7&id=83013a6cc3053f8f35858a8a5784a33761d96c1b
More information about the scm-commits
mailing list