Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com>

Approved by: steve@openssl.org

Check return code properly in CMS_SignerInfo_verify_content().

diff --git a/CHANGES b/CHANGES
index 37f8ee52099f9ba96ec197e28a37892607e9c118..4d5295c16be5f3a7d5ac57cf754b70c22e1bee79 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
 
+  *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
+     checked correctly. This would allow some invalid signed attributes to
+     appear to verify correctly. (CVE-2009-0591)
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
   *) Reject UniversalString and BMPString types with invalid lengths. This
      prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
      a legal length. (CVE-2009-0590)

diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index cf62c68112ee47701bd95300d7ccc839e17ab031..f35883aa22b3bf1bfe6822a1bd440183bb5d0a8c 100644 (file)
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -425,7 +425,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
                for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++)
                        {
                        si = sk_CMS_SignerInfo_value(sinfos, i);
-                       if (!CMS_SignerInfo_verify_content(si, cmsbio))
+                       if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0)
                                {
                                CMSerr(CMS_F_CMS_VERIFY,
                                        CMS_R_CONTENT_VERIFY_ERROR);