CVE-2009-0127

Priority
Description
** DISPUTED ** M2Crypto does not properly check the return value from the
OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and
ECDSA_do_verify functions, which might allow remote attackers to bypass
validation of the certificate chain via a malformed SSL/TLS signature, a
similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the
relevance of this report to the M2Crypto product because "these functions
are not used anywhere in m2crypto."
Notes
 mdeslaur> may not be an issue, see redhat bug
 mdeslaur> debian: "m2crypto provides a direct mapping of the OpenSSL
 mdeslaur> functions, no incorrect call sites are known, if such are found
 mdeslaur> they should be fixed in the respective"
 mdeslaur> marking this as ignored
Package
Upstream:ignored
More Information

Updated: 2019-03-26 12:28:02 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)