486012 – (CVE-2009-0129) CVE-2009-0129 perl-Crypt-OpenSSL-DSA: do_verify() doesn't fail on errors in OpenSSL DSA_do_verify()

Bug 486012 (CVE-2009-0129) - CVE-2009-0129 perl-Crypt-OpenSSL-DSA: do_verify() doesn't fail on errors in OpenSSL DSA_do_verify()

Summary: CVE-2009-0129 perl-Crypt-OpenSSL-DSA: do_verify() doesn't fail on errors in O...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-0129
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:	486013 486014 486015
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-17 21:27 UTC by Vincent Danen
Modified:	2019-09-29 12:28 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-02-26 09:11:54 UTC
Embargoed:

Attachments	(Terms of Use)
patch from Debian's update to fix the issue (10.18 KB, patch) 2009-02-17 21:28 UTC, Vincent Danen	no flags	Details \| Diff
View All

Description Vincent Danen 2009-02-17 21:27:23 UTC

libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519
http://openwall.com/lists/oss-security/2009/01/12/4
http://sourceforge.net/tracker/index.php?func=detail&aid=2545158&group_id=73194&atid=537053

The last is the upstream bug report with an attached patch to fix the issue.

Comment 1 Vincent Danen 2009-02-17 21:28:07 UTC

Created attachment 332302 [details]
patch from Debian's update to fix the issue

Comment 3 Fedora Update System 2009-02-24 15:08:46 UTC

perl-Crypt-OpenSSL-DSA-0.13-12.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/perl-Crypt-OpenSSL-DSA-0.13-12.fc10

Comment 4 Fedora Update System 2009-02-25 16:26:49 UTC

perl-Crypt-OpenSSL-DSA-0.13-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Red Hat Product Security 2009-02-26 09:11:54 UTC

This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2090
  https://admin.fedoraproject.org/updates/F9/FEDORA-2009-1914

Note You need to log in before you can comment on or make changes to this bug.