[perl-LWP-Protocol-https/f19] Fix CVE-2014-3230
Petr Pisar
ppisar at fedoraproject.org
Tue May 13 12:56:22 UTC 2014
commit c429e72946cb0f3f39dcefdd4a109b225c9a756a
Author: Petr Písař <ppisar at redhat.com>
Date: Mon May 12 14:35:25 2014 +0200
Fix CVE-2014-3230
...76-don-t-disale-verification-if-only-host.patch | 30 ++++++++++++
...76-fix-test-make-it-workable-for-Crypt-SS.patch | 38 +++++++++++++++
...tificate-verification-in-IO-Socket-SSL-on.patch | 48 ++++++++++++++++++++
perl-LWP-Protocol-https.spec | 19 +++++++-
4 files changed, 134 insertions(+), 1 deletions(-)
---
diff --git a/LWP-Protocol-https-6.04-Debian-746576-don-t-disale-verification-if-only-host.patch b/LWP-Protocol-https-6.04-Debian-746576-don-t-disale-verification-if-only-host.patch
new file mode 100644
index 0000000..876e719
--- /dev/null
+++ b/LWP-Protocol-https-6.04-Debian-746576-don-t-disale-verification-if-only-host.patch
@@ -0,0 +1,30 @@
+From 891f28d04e1130de506199b7a75373d55f61db6f Mon Sep 17 00:00:00 2001
+From: Steffen Ullrich <Steffen_Ullrich at genua.de>
+Date: Sat, 3 May 2014 23:04:36 +0200
+Subject: [PATCH 1/2] Debian #746576 - don't disale verification if only
+ hostnames should not be verified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/LWP/Protocol/https.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index f7230e2..f39422a 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -20,7 +20,7 @@ sub _extra_sock_opts
+ $ssl_opts{SSL_verifycn_scheme} = 'www';
+ }
+ else {
+- $ssl_opts{SSL_verify_mode} = 0;
++ $ssl_opts{SSL_verifycn_scheme} = 'none';
+ }
+ if ($ssl_opts{SSL_verify_mode}) {
+ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
+--
+1.9.0
+
diff --git a/LWP-Protocol-https-6.04-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch b/LWP-Protocol-https-6.04-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
new file mode 100644
index 0000000..90e6011
--- /dev/null
+++ b/LWP-Protocol-https-6.04-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
@@ -0,0 +1,38 @@
+From bc4478cb7fb9037418af8415fe1175332697bf72 Mon Sep 17 00:00:00 2001
+From: Steffen Ullrich <Steffen_Ullrich at genua.de>
+Date: Sun, 4 May 2014 09:14:13 +0200
+Subject: [PATCH 2/2] Debian #746576 - fix test, make it workable for
+ Crypt::SSLeay/Net::SSL too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+
+Petr Pisar: Ported to 6.04.
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/LWP/Protocol/https.pm | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index f39422a..73020dc 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -20,7 +20,11 @@ sub _extra_sock_opts
+ $ssl_opts{SSL_verifycn_scheme} = 'www';
+ }
+ else {
+- $ssl_opts{SSL_verifycn_scheme} = 'none';
++ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
++ $ssl_opts{SSL_verifycn_scheme} = '';
++ } else {
++ $ssl_opts{SSL_verifycn_scheme} = 'none';
++ }
+ }
+ if ($ssl_opts{SSL_verify_mode}) {
+ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
+--
+1.9.0
+
diff --git a/LWP-Protocol-https-6.04-Disable-certificate-verification-in-IO-Socket-SSL-on.patch b/LWP-Protocol-https-6.04-Disable-certificate-verification-in-IO-Socket-SSL-on.patch
new file mode 100644
index 0000000..e1992ce
--- /dev/null
+++ b/LWP-Protocol-https-6.04-Disable-certificate-verification-in-IO-Socket-SSL-on.patch
@@ -0,0 +1,48 @@
+From 416909268c7b9e6553160a840655f3be25a8fb7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Tue, 13 May 2014 13:59:12 +0200
+Subject: [PATCH] Disable certificate verification in IO::Socket::SSL only if
+ verify_hostname==0 and CA certificate is not defined by environment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+IO::Socket::SSL before 1.950 defaulted to disabled certificate
+verification and warned about that loudly.
+
+LWP::Protocol::https 6.04 test suite expects no warnings by testing
+LWP::UserAgent->new(ssl_opts=>{verify_hostname=>0})->get(q{https://localhost/}).
+Therefore 6.04 set SSL_verify_mode explictly to 0 (SSL_VERIFY_NONE).
+
+This broke certificate validation when HTTPS_CA_FILE environment
+variable was set.
+
+This patch sets SSL_verify_mode to 0 (SSL_VERIFY_NONE) only if
+verify_hostname was explicitly set to 0 and HTTPS_CA_FILE was not set.
+This allows to respect HTTPS_CA_FILE as well as implicit and explicit
+verify_hostname==1 and explicit SSL_verify_mode.
+
+This patch could set SSL_verify_mode to 1 (SSL_VERIFY_PEER), but that would
+break pre-1.950 IO::Socket::SSL behavior defaulting to no peer
+certificate verification.
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/LWP/Protocol/https.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index 73020dc..7c45fd2 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -24,6 +24,7 @@ sub _extra_sock_opts
+ $ssl_opts{SSL_verifycn_scheme} = '';
+ } else {
+ $ssl_opts{SSL_verifycn_scheme} = 'none';
++ $ssl_opts{SSL_verify_mode} ||= 0;
+ }
+ }
+ if ($ssl_opts{SSL_verify_mode}) {
+--
+1.9.0
+
diff --git a/perl-LWP-Protocol-https.spec b/perl-LWP-Protocol-https.spec
index f1899fe..3edb3db 100644
--- a/perl-LWP-Protocol-https.spec
+++ b/perl-LWP-Protocol-https.spec
@@ -1,11 +1,21 @@
Name: perl-LWP-Protocol-https
Version: 6.04
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Provide HTTPS support for LWP::UserAgent
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/LWP-Protocol-https/
Source0: http://www.cpan.org/authors/id/G/GA/GAAS/LWP-Protocol-https-%{version}.tar.gz
+# Fix CVE-2014-3230, bug #1094442,
+# proposed in https://github.com/libwww-perl/lwp-protocol-https/pull/14
+Patch0: LWP-Protocol-https-6.04-Debian-746576-don-t-disale-verification-if-only-host.patch
+# Fix CVE-2014-3230, bug #1094442,
+# proposed in https://github.com/libwww-perl/lwp-protocol-https/pull/14
+Patch1: LWP-Protocol-https-6.04-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
+# Disable certificate verification in IO::Socket::SSL only if
+# verify_hostname==0 and CA certificate is not defined by environment,
+# related to CVE-2014-3230, needed for backward compatibility, bug #1094442,
+Patch2: LWP-Protocol-https-6.04-Disable-certificate-verification-in-IO-Socket-SSL-on.patch
BuildArch: noarch
BuildRequires: perl(ExtUtils::MakeMaker)
# Run-requires
@@ -32,6 +42,9 @@ access sites using HTTP over SSL/TLS.
%prep
%setup -q -n LWP-Protocol-https-%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -52,6 +65,10 @@ make test
%{_mandir}/man3/*
%changelog
+* Mon May 12 2014 Petr Pisar <ppisar at redhat.com> - 6.04-2
+- Fix CVE-2014-3230 (incorrect handling of SSL certificate verification if
+ HTTPS_CA_DIR or HTTPS_CA_FILE environment variables are set) (bug #1094442)
+
* Thu May 02 2013 Petr Pisar <ppisar at redhat.com> - 6.04-1
- 6.04 bump
More information about the scm-commits
mailing list