Author: hardaker Update of /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/F-9 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9607/F-9 Modified Files: perl-Crypt-OpenSSL-DSA.spec Added Files: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch Log Message: update to fix CVE-2009-0129 Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch: --- NEW FILE Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch --- # Author: Damyan Ivanov <dmn@xxxxxxxxxx> # Description: make do_verify() croak on error in the same way # verify() already does # Document that verify()/do_verify() croak on errors # Debian-Bug: http://bugs.debian.org/511519 --- a/DSA.xs +++ b/DSA.xs @@ -139,6 +139,8 @@ do_verify(dsa, dgst, sig) CODE: dgst_pv = SvPV(dgst, dgst_len); RETVAL = DSA_do_verify(dgst_pv, dgst_len, sig, dsa); + if (RETVAL == -1) + croak("Error in DSA_do_verify: %s",ERR_error_string(ERR_get_error(), NULL)); OUTPUT: RETVAL --- a/lib/Crypt/OpenSSL/DSA.pm +++ b/lib/Crypt/OpenSSL/DSA.pm @@ -124,10 +124,14 @@ Verifies that the $sig signature for $me $dsa is the signer's public key. +Note it croaks if the underlying library call returns error (-1). + =item $valid = $dsa->do_verify( $message, $sig_obj ); Similar to C<verify>, but uses a L<Crypt::OpenSSL::DSA::Signature> object. +Note it croaks if the underlying library call returns error (-1). + =item $dsa->write_params( $filename ); Writes the parameters into a PEM file. Index: perl-Crypt-OpenSSL-DSA.spec =================================================================== RCS file: /cvs/extras/rpms/perl-Crypt-OpenSSL-DSA/F-9/perl-Crypt-OpenSSL-DSA.spec,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- perl-Crypt-OpenSSL-DSA.spec 5 Mar 2008 22:50:22 -0000 1.5 +++ perl-Crypt-OpenSSL-DSA.spec 18 Feb 2009 21:18:32 -0000 1.6 @@ -1,6 +1,6 @@ Name: perl-Crypt-OpenSSL-DSA Version: 0.13 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Perl interface to OpenSSL for DSA License: GPL+ or Artistic Group: Development/Libraries @@ -12,12 +12,16 @@ Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Patch1: Crypt-OpenSSL-DSA-0.13-security_croak-in-do_verify-too.patch + %description Crypt::OpenSSL::DSA - Digital Signature Algorithm using OpenSSL %prep %setup -q -n Crypt-OpenSSL-DSA-%{version} +%patch1 -p1 + %build %{__perl} Makefile.PL INSTALLDIRS=vendor make %{?_smp_mflags} @@ -47,6 +51,9 @@ %{_mandir}/man3/* %changelog +* Wed Feb 18 2009 Wes Hardaker <wjhns174@xxxxxxxxxxxxx> - 0.13-9 +- Fix CVE-2009-0129 and have do_verify croak on fatal error + * Wed Mar 5 2008 Tom "spot" Callaway <tcallawa@xxxxxxxxxx> - 0.13-7 - rebuild for new perl -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list