Bug 258864 (CVE-2009-0129)

Summary:	dev-perl/crypt-dsa DSA_verify, DSA_do_verify missing error check (CVE-2009-0129)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	perl
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519
Whiteboard:	B3 [ebuild]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2009-02-13 17:17:39 UTC

CVE-2009-0129 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0129):
  libcrypt-openssl-dsa-perl does not properly check the return value
  from the OpenSSL DSA_verify and DSA_do_verify functions, which might
  allow remote attackers to bypass validation of the certificate chain
  via a malformed SSL/TLS signature, a similar vulnerability to
  CVE-2008-5077.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-02-13 17:20:31 UTC

Debian developed a patch for this that introduces a croak (aka exception) in the error case. However, this might be unexpected for applications using the perl library. I did not check whether upstream went with another fix.

Comment 2 Torsten Veller (RETIRED) gentoo-dev

2009-02-26 12:23:02 UTC

dev-perl/crypt-dsa is Crypt-DSA and not Crypt-OpenSSL-DSA, which is not in the tree. 

The only time openssl is used in Crypt-DSA is the generate_params function in Crypt::DSA::KeyChain:
<http://cpansearch.perl.org/src/BTROTT/Crypt-DSA-0.14/lib/Crypt/DSA/KeyChain.pm>

Thanks

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-02-26 15:16:24 UTC

Sounds good then, closing INVALID.