The TrustedQSL library incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. Proposed patch: - if (!EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key)) { + if (EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key) <= 0) { References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511509
This issue is related with recent OpenSSL's CVE-2008-5077 flaw. This issue affects all versions of the tqsllib package, as shipped with Fedora releases of 9, 10 and devel. Please fix.
tqsllib-2.0-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/tqsllib-2.0-5.fc10
tqsllib-2.0-5.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tqsllib-2.0-5.fc9
Thanks for the report.
tqsllib-2.0-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
tqsllib-2.0-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0124 to the following vulnerability: The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0124 http://openwall.com/lists/oss-security/2009/01/12/4