CVE-2009-0127
Publication date 15 January 2009
Last updated 24 July 2024
Ubuntu priority
** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."
Notes
mdeslaur
may not be an issue, see redhat bug debian: "m2crypto provides a direct mapping of the OpenSSL functions, no incorrect call sites are known, if such are found they should be fixed in the respective" marking this as ignored