rpms/perl-Crypt-OpenSSL-DSA/devel Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch, NONE, 1.1 perl-Crypt-OpenSSL-DSA.spec, 1.6, 1.7
Wes Hardaker
hardaker at fedoraproject.org
Wed Feb 18 21:19:02 UTC 2009
Author: hardaker
Update of /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9607/devel
Modified Files:
perl-Crypt-OpenSSL-DSA.spec
Added Files:
Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
Log Message:
update to fix CVE-2009-0129
Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch:
--- NEW FILE Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch ---
# Author: Damyan Ivanov <dmn at debian.org>
# Description: make do_verify() croak on error in the same way
# verify() already does
# Document that verify()/do_verify() croak on errors
# Debian-Bug: http://bugs.debian.org/511519
--- a/DSA.xs
+++ b/DSA.xs
@@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig)
CODE:
dgst_pv = SvPV(dgst, dgst_len);
RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa);
+ if (RETVAL == -1)
+ croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL));
OUTPUT:
RETVAL
--- a/lib/Crypt/OpenSSL/DSA.pm
+++ b/lib/Crypt/OpenSSL/DSA.pm
@@ -124,10 +124,14 @@ Verifies that the $sig signature for $me
$dsa is the signer's public key.
+Note it croaks if the underlying library call returns error (-1).
+
=item $valid = $dsa->do_verify( $message, $sig_obj );
Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object.
+Note it croaks if the underlying library call returns error (-1).
+
=item $dsa->write_params( $filename );
Writes the parameters into a PEM file.
Index: perl-Crypt-OpenSSL-DSA.spec
===================================================================
RCS file: /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/devel/perl-Crypt-OpenSSL-DSA.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- perl-Crypt-OpenSSL-DSA.spec 17 Jan 2009 18:56:18 -0000 1.6
+++ perl-Crypt-OpenSSL-DSA.spec 18 Feb 2009 21:18:32 -0000 1.7
@@ -1,6 +1,6 @@
Name: perl-Crypt-OpenSSL-DSA
Version: 0.13
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: Perl interface to OpenSSL for DSA
License: GPL+ or Artistic
Group: Development/Libraries
@@ -12,12 +12,16 @@
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Patch1: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
+
%description
Crypt::OpenSSL::DSA - Digital Signature Algorithm using OpenSSL
%prep
%setup -q -n Crypt-OpenSSL-DSA-%{version}
+%patch1 -p1
+
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
@@ -47,6 +51,9 @@
%{_mandir}/man3/*
%changelog
+* Wed Feb 18 2009 Wes Hardaker <wjhns174 at hardakers.net> - 0.13-9
+- Fix CVE-2009-0129 and have do_verify croak on fatal error
+
* Sat Jan 17 2009 Tomas Mraz <tmraz at redhat.com> - 0.13-8
- rebuild with new openssl
More information about the Fedora-perl-devel-list
mailing list