[perl-LWP-Protocol-https] Fix CVE-2014-3230

Petr Pisar ppisar at fedoraproject.org
Mon May 12 12:46:34 UTC 2014 

commit 22acb1b049ce25f561e5a3ea3be9aa4d89b97e5a
Author: Petr Písař <ppisar at redhat.com>
Date:   Mon May 12 14:35:25 2014 +0200

    Fix CVE-2014-3230

 ...76-don-t-disale-verification-if-only-host.patch |   30 ++++++++++++
 ...76-fix-test-make-it-workable-for-Crypt-SS.patch |   51 ++++++++++++++++++++
 perl-LWP-Protocol-https.spec                       |   15 +++++-
 3 files changed, 95 insertions(+), 1 deletions(-)
---
diff --git a/LWP-Protocol-https-6.06-Debian-746576-don-t-disale-verification-if-only-host.patch b/LWP-Protocol-https-6.06-Debian-746576-don-t-disale-verification-if-only-host.patch
new file mode 100644
index 0000000..31521ff
--- /dev/null
+++ b/LWP-Protocol-https-6.06-Debian-746576-don-t-disale-verification-if-only-host.patch
@@ -0,0 +1,30 @@
+From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001
+From: Steffen Ullrich <Steffen_Ullrich at genua.de>
+Date: Sat, 3 May 2014 23:04:36 +0200
+Subject: [PATCH 1/2] Debian #746576 - don't disale verification if only
+ hostnames should not be verified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/LWP/Protocol/https.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index a707917..8c87e81 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -21,7 +21,7 @@ sub _extra_sock_opts
+ 	$ssl_opts{SSL_verifycn_scheme} = 'www';
+     }
+     else {
+-	$ssl_opts{SSL_verify_mode} = 0;
++	$ssl_opts{SSL_verifycn_scheme} = 'none';
+     }
+     if ($ssl_opts{SSL_verify_mode}) {
+ 	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
+-- 
+1.9.0
+
diff --git a/LWP-Protocol-https-6.06-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch b/LWP-Protocol-https-6.06-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
new file mode 100644
index 0000000..1e85dbe
--- /dev/null
+++ b/LWP-Protocol-https-6.06-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
@@ -0,0 +1,51 @@
+From 6b5c876de80451ee54de5d853de37a62e26bf6fe Mon Sep 17 00:00:00 2001
+From: Steffen Ullrich <Steffen_Ullrich at genua.de>
+Date: Sun, 4 May 2014 09:14:13 +0200
+Subject: [PATCH 2/2] Debian #746576 - fix test, make it workable for
+ Crypt::SSLeay/Net::SSL too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/LWP/Protocol/https.pm | 6 +++++-
+ t/https_proxy.t           | 5 ++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index 8c87e81..6223ddf 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -21,7 +21,11 @@ sub _extra_sock_opts
+ 	$ssl_opts{SSL_verifycn_scheme} = 'www';
+     }
+     else {
+-	$ssl_opts{SSL_verifycn_scheme} = 'none';
++	if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
++	    $ssl_opts{SSL_verifycn_scheme} = '';
++	} else {
++	    $ssl_opts{SSL_verifycn_scheme} = 'none';
++	}
+     }
+     if ($ssl_opts{SSL_verify_mode}) {
+ 	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
+diff --git a/t/https_proxy.t b/t/https_proxy.t
+index 5196960..c78345b 100644
+--- a/t/https_proxy.t
++++ b/t/https_proxy.t
+@@ -66,7 +66,10 @@ my %ua;
+ $ua{noproxy} = LWP::UserAgent->new(
+     keep_alive => 10, # size of connection cache
+     # server does not know the expected name and returns generic certificate
+-    ssl_opts => { verify_hostname => 0 }
++    ssl_opts => { 
++	verify_hostname => 0, 
++	SSL_ca_file => $cafile,
++    }
+ );
+ 
+ $ua{proxy} = LWP::UserAgent->new(
+-- 
+1.9.0
+
diff --git a/perl-LWP-Protocol-https.spec b/perl-LWP-Protocol-https.spec
index db8a51c..58fe8c0 100644
--- a/perl-LWP-Protocol-https.spec
+++ b/perl-LWP-Protocol-https.spec
@@ -1,11 +1,18 @@
 Name:           perl-LWP-Protocol-https
 Version:        6.06
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Provide HTTPS support for LWP::UserAgent
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/LWP-Protocol-https/
 Source0:        http://www.cpan.org/authors/id/M/MS/MSCHILLI/LWP-Protocol-https-%{version}.tar.gz
+# Fix CVE-2014-3230, bug #1094442,
+# proposed in https://github.com/libwww-perl/lwp-protocol-https/pull/14
+Patch0:         LWP-Protocol-https-6.06-Debian-746576-don-t-disale-verification-if-only-host.patch
+# Fix CVE-2014-3230, bug #1094442,
+# proposed in https://github.com/libwww-perl/lwp-protocol-https/pull/14
+Patch1:         LWP-Protocol-https-6.06-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
+
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl(ExtUtils::MakeMaker)
@@ -42,6 +49,8 @@ access sites using HTTP over SSL/TLS.
 
 %prep
 %setup -q -n LWP-Protocol-https-%{version}
+%patch0 -p1
+%patch1 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -61,6 +70,10 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Mon May 12 2014 Petr Pisar <ppisar at redhat.com> - 6.06-2
+- Fix CVE-2014-3230 (incorrect handling of SSL certificate verification if
+  HTTPS_CA_DIR or HTTPS_CA_FILE environment variables are set) (bug #1094442)
+
 * Wed Apr 23 2014 Petr Pisar <ppisar at redhat.com> - 6.06-1
 - 6.06 bump

More information about the scm-commits mailing list