CVE-2009-0127

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.
Configurations

Configuration 1 (hide)

cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*

History

21 Nov 2024, 00:59

Type Values Removed Values Added
References () http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515 - Third Party Advisory () http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515 - Third Party Advisory
References () http://openwall.com/lists/oss-security/2009/01/12/4 - Mailing List () http://openwall.com/lists/oss-security/2009/01/12/4 - Mailing List
References () https://bugzilla.redhat.com/show_bug.cgi?id=479676 - Exploit, Issue Tracking () https://bugzilla.redhat.com/show_bug.cgi?id=479676 - Exploit, Issue Tracking

07 Nov 2023, 02:03

Type Values Removed Values Added
Summary ** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto." M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.

Information

Published : 2009-01-15 17:30

Updated : 2024-11-21 00:59


NVD link : CVE-2009-0127

Mitre link : CVE-2009-0127

CVE.ORG link : CVE-2009-0127


JSON object : View

Products Affected

heikkitoivonen

  • m2crypto
CWE
CWE-287

Improper Authentication