[VIM] CVE-2009-0125 (fwd)

security curmudgeon jericho at attrition.org
Tue Jan 20 23:09:26 UTC 2009


Renaud has contacted CVE about this, posting here for others.

---------- Forwarded message ----------
> From: Renaud Deraison <deraison at nessus.org>
> Date: January 18, 2009 10:43:29 PM CEST
> 
> I wanted to dispute the existence of CVE-2009-0125 (libnasl misusing the 
> return value of DSA_do_verify()) : while we do misuse this function (this is 
> a bug), it has absolutely no security ramification.
> 
> To give you some context, the function DSA_do_verify() is called by the nasl 
> function  dsa_do_verify() which is used when Nessus attempts to log into a 
> remote SSH server.
> 
> If an attacker were to control a rogue SSH server, then he would be better 
> off submitting a perfectly valid signature instead of a malformed one, and we 
> would log into it anyways. Hence, there is absolutely no security risk 
> associated with the misuse of this function.



More information about the VIM mailing list