Your message dated Sat, 29 Aug 2009 09:58:14 +0100
with message-id <[email protected]>
and subject line Package libnasl has been removed from Debian
has caused the Debian Bug report #511517,
regarding libnasl: Return values of DSA_do_verify
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
511517: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511517
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnasl
Severity: serious
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl. In nasl/nasl_crypto2.c
there is this code:
if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa))
retc->x.i_val = 1;
But DSA_do_verify() can return 0 or -1 in case of errors. A good way
to check the value would be something like:
if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa) == 1)
I have no idea if this code is being used and what the consequences
of this might be.
Kurt
--- End Message ---
--- Begin Message ---
Version: 2.2.11-1+rm
You filled the bug http://bugs.debian.org/511517 in Debian BTS
against the package libnasl. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/534506. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
