Ticket #823 (closed Defect: fixed)

Opened 11 months ago

Last modified 1 week ago

boinc does not check the RSA_public_decrypt() return value

Reported by: mjakubicek Assigned to: davea
Priority: Critical Milestone: Undetermined
Component: Client - Daemon Version: 6.6.37
Keywords: Security Cc: mjakubicek

Description

Please see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511521

and

https://bugzilla.redhat.com/show_bug.cgi?id=479664

Change History

01/12/09 06:21:38 changed by chris49

http://openssl.org/news/secadv_20090107.txt

"...Recommendations for users of OpenSSL =====================================

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release which contains a patch to correct this issue...."

0.9.8j is working well, we should add test cases for OpenSSL communication on BOINC alpha test

01/12/09 08:36:18 changed by davea

  • status changed from new to closed.
  • resolution set to fixed.

(In [16883]) - lib: check return values of RSA_*() functions.

Also fix a memory leak, missing RSA_free(). Fixes #823.

07/19/09 08:23:24 changed by mjakubicek

  • cc set to mjakubicek.
  • status changed from closed to reopened.
  • version changed from 6.4.5 to 6.6.37.
  • resolution deleted.

Reopening, it is still not fixed in the 6.6 branch. Please pay attention to fix bugs not only in trunk, but also in active branches, especially when it comes to security issues.

11/18/09 15:23:31 changed by romw

  • status changed from reopened to closed.
  • resolution set to fixed.

This was fixed in the 6.6a branch.

If this page is incomplete or incorrect, please edit it or add it to the wiki to-do list. To do this, you must be logged in; click Login or Register above.