rpms/perl-Crypt-OpenSSL-DSA/F-9 Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch, NONE, 1.1 perl-Crypt-OpenSSL-DSA.spec, 1.5, 1.6
Wes Hardaker
hardaker at fedoraproject.org
Wed Feb 18 21:19:02 UTC 2009
- Previous message (by thread): rpms/perl-FCGI-ProcManager/F-9 import.log, NONE, 1.1 perl-FCGI-ProcManager.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/perl-Crypt-OpenSSL-DSA/F-10 Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch, NONE, 1.1 perl-Crypt-OpenSSL-DSA.spec, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: hardaker
Update of /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9607/F-9
Modified Files:
perl-Crypt-OpenSSL-DSA.spec
Added Files:
Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
Log Message:
update to fix CVE-2009-0129
Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch:
--- NEW FILE Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch ---
# Author: Damyan Ivanov <dmn at debian.org>
# Description: make do_verify() croak on error in the same way
# verify() already does
# Document that verify()/do_verify() croak on errors
# Debian-Bug: http://bugs.debian.org/511519
--- a/DSA.xs
+++ b/DSA.xs
@@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig)
CODE:
dgst_pv = SvPV(dgst, dgst_len);
RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa);
+ if (RETVAL == -1)
+ croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL));
OUTPUT:
RETVAL
--- a/lib/Crypt/OpenSSL/DSA.pm
+++ b/lib/Crypt/OpenSSL/DSA.pm
@@ -124,10 +124,14 @@ Verifies that the $sig signature for $me
$dsa is the signer's public key.
+Note it croaks if the underlying library call returns error (-1).
+
=item $valid = $dsa->do_verify( $message, $sig_obj );
Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object.
+Note it croaks if the underlying library call returns error (-1).
+
=item $dsa->write_params( $filename );
Writes the parameters into a PEM file.
Index: perl-Crypt-OpenSSL-DSA.spec
===================================================================
RCS file: /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/F-9/perl-Crypt-OpenSSL-DSA.spec,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- perl-Crypt-OpenSSL-DSA.spec 5 Mar 2008 22:50:22 -0000 1.5
+++ perl-Crypt-OpenSSL-DSA.spec 18 Feb 2009 21:18:32 -0000 1.6
@@ -1,6 +1,6 @@
Name: perl-Crypt-OpenSSL-DSA
Version: 0.13
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: Perl interface to OpenSSL for DSA
License: GPL+ or Artistic
Group: Development/Libraries
@@ -12,12 +12,16 @@
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Patch1: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch
+
%description
Crypt::OpenSSL::DSA - Digital Signature Algorithm using OpenSSL
%prep
%setup -q -n Crypt-OpenSSL-DSA-%{version}
+%patch1 -p1
+
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
@@ -47,6 +51,9 @@
%{_mandir}/man3/*
%changelog
+* Wed Feb 18 2009 Wes Hardaker <wjhns174 at hardakers.net> - 0.13-9
+- Fix CVE-2009-0129 and have do_verify croak on fatal error
+
* Wed Mar 5 2008 Tom "spot" Callaway <tcallawa at redhat.com> - 0.13-7
- rebuild for new perl
- Previous message (by thread): rpms/perl-FCGI-ProcManager/F-9 import.log, NONE, 1.1 perl-FCGI-ProcManager.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/perl-Crypt-OpenSSL-DSA/F-10 Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch, NONE, 1.1 perl-Crypt-OpenSSL-DSA.spec, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-perl-devel-list
mailing list