rpms/perl-Crypt-OpenSSL-DSA/devel Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch, NONE, 1.1 perl-Crypt-OpenSSL-DSA.spec, 1.6, 1.7

Wes Hardaker hardaker at fedoraproject.org
Wed Feb 18 21:19:02 UTC 2009 

Author: hardaker

Update of /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9607/devel

Modified Files:
	perl-Crypt-OpenSSL-DSA.spec 
Added Files:
	Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch 
Log Message:
update to fix CVE-2009-0129

Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch:

--- NEW FILE Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch ---
# Author: Damyan Ivanov <dmn at debian.org>
# Description: make do_verify() croak on error in the same way
#              verify() already does
#              Document that verify()/do_verify() croak on errors
# Debian-Bug: http://bugs.debian.org/511519
--- a/DSA.xs
+++ b/DSA.xs
@@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig)
     CODE:
         dgst_pv = SvPV(dgst, dgst_len);
         RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa);
+        if (RETVAL == -1)
+          croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL));
     OUTPUT:
         RETVAL
 
--- a/lib/Crypt/OpenSSL/DSA.pm
+++ b/lib/Crypt/OpenSSL/DSA.pm
@@ -124,10 +124,14 @@ Verifies that the $sig signature for $me
 
 $dsa is the signer's public key.
 
+Note it croaks if the underlying library call returns error (-1).
+
 =item $valid = $dsa->do_verify( $message, $sig_obj );
 
 Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object.
 
+Note it croaks if the underlying library call returns error (-1).
+
 =item $dsa->write_params( $filename );
 
 Writes the parameters into a PEM file.

 	  	 


Index: perl-Crypt-OpenSSL-DSA.spec
===================================================================
RCS file: /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/devel/perl-Crypt-OpenSSL-DSA.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- perl-Crypt-OpenSSL-DSA.spec	17 Jan 2009 18:56:18 -0000	1.6
+++ perl-Crypt-OpenSSL-DSA.spec	18 Feb 2009 21:18:32 -0000	1.7
@@ -1,6 +1,6 @@
 Name:           perl-Crypt-OpenSSL-DSA
 Version:        0.13
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Perl interface to OpenSSL for DSA
 License:        GPL+ or Artistic 
 Group:          Development/Libraries
@@ -12,12 +12,16 @@
 
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
+Patch1: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
+
 %description
 Crypt::OpenSSL::DSA - Digital Signature Algorithm using OpenSSL
 
 %prep
 %setup -q -n Crypt-OpenSSL-DSA-%{version}
 
+%patch1 -p1
+
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
 make %{?_smp_mflags}
@@ -47,6 +51,9 @@
 %{_mandir}/man3/*
 
 %changelog
+* Wed Feb 18 2009 Wes Hardaker <wjhns174 at hardakers.net> - 0.13-9
+- Fix CVE-2009-0129 and have do_verify croak on fatal error
+
 * Sat Jan 17 2009 Tomas Mraz <tmraz at redhat.com> - 0.13-8
 - rebuild with new openssl

More information about the Fedora-perl-devel-list mailing list