CVE-2009-0127

NameCVE-2009-0127
Description** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs511515

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
m2crypto (PTS)jessie0.21.1-3vulnerable
stretch0.24.0-1.1vulnerable
buster, sid0.31.0-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
m2cryptosource(unstable)(unfixed)unimportant511515

Notes

m2crypto provides a direct mapping of the OpenSSL functions, no incorrect
call sites are known, if such are found they should be fixed in the respective
applications
Search for package or bug name: Reporting problems