Package: bind9
Version: 1:9.5.0.dfsg.P2-5.1
Severity: wishlist
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch
*** /tmp/tmpN4PvmS
In Ubuntu, we've applied the attached patch to achieve the following:
* SECURITY UPDATE: clients treat malformed signatures as good when verifying
server DSA and ECDSA certificates.
- update lib/dns/openssldsa_link.c to properly check the return code of
DSA_do_verify()
- CVE-2009-0025
We thought you might be interested in doing the same.
-- System Information:
Debian Release: lenny/sid
APT prefers hardy-updates
APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500,
'hardy-proposed'), (500, 'hardy')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-16-generic (SMP w/2 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/openssldsa_link.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/openssldsa_link.c
@@ -146,7 +146,7 @@
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
DSA_SIG_free(dsasig);
- if (status == 0)
+ if (status <= 0)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
