Debian Bug report logs -
#643680
python-m2crypto: SMIME verify without attributes allowing SMTP signatures causes Segmentation fault
Reported by: owen.synge@desy.de
Date: Wed, 28 Sep 2011 16:24:01 UTC
Severity: important
Found in version 0.20.1-1+b1
Done: Sandro Tosi <morph@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Dima Barsky <dima@debian.org>
:
Bug#643680
; Package python-m2crypto
.
(Wed, 28 Sep 2011 16:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to owen.synge@desy.de
:
New Bug report received and forwarded. Copy sent to Dima Barsky <dima@debian.org>
.
(Wed, 28 Sep 2011 16:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-m2crypto
Version: 0.20.1-1+b1
Severity: important
The main bug effects Debian stable only. Debian Unstable is not effected, and neither is Scientific Linux 5 and 6.
The below code will succeed with some X509 certs, and signed SMIME messages.
Its success depends upon the certificate attributes. If no attributes are present the code will succeed. If the attributes allow signing email the code will succeed, unfortunately if it contains attributes and the attributes do not contain email the code will Segmentation fault.
from M2Crypto import SMIME, X509
s = SMIME.SMIME()
x509c = X509.load_cert('/tmp/hepix-ca/0829706c.0')
sk = X509.X509_Stack()
sk.push(x509c)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('/tmp/hepix-ca/0829706c.0')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('bill')
v = s.verify(p7,data,1023)
print v
Since the following code does not know if the message was sent over SMTP the attributes should not effect behaviour, as SMIME and SMTP are independent according to specification. This second issue effects all versions of Debian.
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-m2crypto depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libssl0.9.8 0.9.8o-4squeeze2 SSL shared libraries
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
ii python-support 1.0.10 automated rebuilding support for P
python-m2crypto recommends no packages.
python-m2crypto suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Stender <stender@debian.org>
:
Bug#643680
; Package python-m2crypto
.
(Fri, 06 Oct 2017 23:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matěj Cepl <mcepl@cepl.eu>
:
Extra info received and forwarded to list. Copy sent to Daniel Stender <stender@debian.org>
.
(Fri, 06 Oct 2017 23:15:03 GMT) (full text, mbox, link).
Message #10 received at 643680@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
this is your happy upstream maintainer of M2Crypto. I tried to reproduce
this bug here, but I have failed so far. Could you be so kind and and
provide some complete standalone testing script together with all data
files (certificates, etc.) needed for the reproduction, please?
If I can reproduce the problem, I will gladly try to fix it.
Thank you for reporting this,
Matěj Cepl
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Sandro Tosi <morph@debian.org>
:
You have taken responsibility.
(Fri, 24 Apr 2020 04:03:06 GMT) (full text, mbox, link).
Notification sent
to owen.synge@desy.de
:
Bug acknowledged by developer.
(Fri, 24 Apr 2020 04:03:06 GMT) (full text, mbox, link).
Message #15 received at 643680-done@bugs.debian.org (full text, mbox, reply):
On Sat, 7 Oct 2017 01:07:31 +0200 =?UTF-8?Q?Mat=c4=9bj_Cepl?=
<mcepl@cepl.eu> wrote:
> Hi,
>
> this is your happy upstream maintainer of M2Crypto. I tried to reproduce
> this bug here, but I have failed so far. Could you be so kind and and
> provide some complete standalone testing script together with all data
> files (certificates, etc.) needed for the reproduction, please?
>
> If I can reproduce the problem, I will gladly try to fix it.
Upstream replied 2 and a half years ago, but no update from the OP
since; closing
--
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
Twitter: https://twitter.com/sandrotosi
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 22 May 2020 07:31:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun May 5 18:48:14 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.