Debian Security Advisory

DSA-1700-1 lasso -- incorrect API usage

Date Reported:
11 Jan 2009
Affected Packages:
lasso
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 511262.
In Mitre's CVE dictionary: CVE-2009-0050.
More information:

It was discovered that Lasso, a library for Liberty Alliance and SAML protocols performs incorrect validation of the return value of OpenSSL's DSA_verify() function.

For the stable distribution (etch), this problem has been fixed in version 0.6.5-3+etch1.

For the upcoming stable distribution (lenny) and the unstable distribution (sid), this problem has been fixed in version 2.2.1-2.

We recommend that you upgrade your lasso package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/l/lasso/lasso_0.6.5-3+etch1.diff.gz
http://security.debian.org/pool/updates/main/l/lasso/lasso_0.6.5.orig.tar.gz
http://security.debian.org/pool/updates/main/l/lasso/lasso_0.6.5-3+etch1.dsc
Alpha:
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_alpha.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_alpha.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_alpha.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_alpha.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_amd64.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_amd64.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_amd64.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_amd64.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_arm.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_arm.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_arm.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_arm.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_hppa.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_hppa.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_hppa.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_hppa.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_i386.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_i386.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_i386.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_i386.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_ia64.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_ia64.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_ia64.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_ia64.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_mips.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_mips.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_mips.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_mips.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_mipsel.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_mipsel.deb
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_mipsel.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_mipsel.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_s390.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_s390.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_s390.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_s390.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_sparc.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_sparc.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_sparc.deb
http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_sparc.deb
http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.