| Name | CVE-2009-0127 |
| Description | M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 511515 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| m2crypto (PTS) | buster | 0.31.0-4+deb10u2 | vulnerable |
| bullseye | 0.37.1-2 | vulnerable | |
| bookworm | 0.38.0-4 | vulnerable | |
| trixie | 0.40.1-1 | vulnerable | |
| sid | 0.40.1-3 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| m2crypto | source | (unstable) | (unfixed) | unimportant | 511515 |
m2crypto provides a direct mapping of the OpenSSL functions, no incorrect
call sites are known, if such are found they should be fixed in the respective
applications