Package: m2crypto Severity: important Tags: security Hi,
I've been checking packages to see if they properly check the return value of some of the functions in openssl. Your package seems to be calling a few of them: In SWIG/_evp.i, in verify_final() there is a call to EVP_VerifyFinal and just return that. M2Crypto/EVP.py seems to document that as only returning 0 for failure but it can also return -1 on failure. There are also calls to DSA_verify(), ECDSA_verify(), DSA_do_verify() and ECDSA_do_verify() that seem to think that -1 means error, and then return the return code. But 0 is also an error case. For all the functions mentioned, 0 and -1 are errors, 1 mean success. I have no idea how this is being used. I think this is being used by other packages in Debian (dtc-xen, python-pyxmpp) that might need to be checked instead. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
