diff options
author | Soumya <soumya.sambu@windriver.com> | 2023-07-18 03:06:36 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-21 11:52:26 +0100 |
commit | c80fafccafbfd1bf75d847d3ca05b444abf49495 (patch) | |
tree | c3837d3e6c29cd3ca8caa28c16a7df630a562122 /meta/recipes-devtools/perl/files | |
parent | 849b0dcebbae6d7f59c701fb2faeafdb8bd637e3 (diff) | |
download | poky-c80fafccafbfd1bf75d847d3ca05b444abf49495.tar.gz |
perl: Fix CVE-2023-31486
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486
Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d
(From OE-Core rev: e021fcc420b15d96b32f77f2b38324651dbd454c)
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/perl/files')
-rw-r--r-- | meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch | 217 | ||||
-rw-r--r-- | meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch | 36 |
2 files changed, 253 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch new file mode 100644 index 0000000000..0531e1f099 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch | |||
@@ -0,0 +1,217 @@ | |||
1 | From 77f557ef84698efeb6eed04e4a9704eaf85b741d | ||
2 | From: Stig Palmquist <git@stig.io> | ||
3 | Date: Mon Jun 5 16:46:22 2023 +0200 | ||
4 | Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable | ||
5 | insecure default | ||
6 | |||
7 | - Changes the `verify_SSL` default parameter from `0` to `1` | ||
8 | |||
9 | Based on patch by Dominic Hargreaves: | ||
10 | https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 | ||
11 | |||
12 | CVE: CVE-2023-31486 | ||
13 | |||
14 | - Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that | ||
15 | enables the previous insecure default behaviour if set to `1`. | ||
16 | |||
17 | This provides a workaround for users who encounter problems with the | ||
18 | new `verify_SSL` default. | ||
19 | |||
20 | Example to disable certificate checks: | ||
21 | ``` | ||
22 | $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl | ||
23 | ``` | ||
24 | |||
25 | - Updates to documentation: | ||
26 | - Describe changing the verify_SSL value | ||
27 | - Describe the escape-hatch environment variable | ||
28 | - Remove rationale for not enabling verify_SSL | ||
29 | - Add missing certificate search paths | ||
30 | - Replace "SSL" with "TLS/SSL" where appropriate | ||
31 | - Use "machine-in-the-middle" instead of "man-in-the-middle" | ||
32 | |||
33 | Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] | ||
34 | |||
35 | Signed-off-by: Soumya <soumya.sambu@windriver.com> | ||
36 | --- | ||
37 | cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++----------- | ||
38 | 1 file changed, 57 insertions(+), 29 deletions(-) | ||
39 | |||
40 | diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
41 | index 83ca06d..ebc34a1 100644 | ||
42 | --- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
43 | +++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
44 | @@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } | ||
45 | #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open, | ||
46 | #pod read or write takes longer than the timeout, the request response status code | ||
47 | #pod will be 599. | ||
48 | -#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL | ||
49 | -#pod certificate of an C<https> — connection (default is false) | ||
50 | +#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL | ||
51 | +#pod certificate of an C<https> — connection (default is true). Changed from false | ||
52 | +#pod to true in version 0.083. | ||
53 | #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to | ||
54 | #pod L<IO::Socket::SSL> | ||
55 | +#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default | ||
56 | +#pod certificate verification behavior to not check server identity if set to 1. | ||
57 | +#pod Only effective if C<verify_SSL> is not set. Added in version 0.083. | ||
58 | #pod | ||
59 | #pod An accessor/mutator method exists for each attribute. | ||
60 | #pod | ||
61 | @@ -111,11 +115,17 @@ sub timeout { | ||
62 | sub new { | ||
63 | my($class, %args) = @_; | ||
64 | |||
65 | + # Support lower case verify_ssl argument, but only if verify_SSL is not | ||
66 | + # true. | ||
67 | + if ( exists $args{verify_ssl} ) { | ||
68 | + $args{verify_SSL} ||= $args{verify_ssl}; | ||
69 | + } | ||
70 | + | ||
71 | my $self = { | ||
72 | max_redirect => 5, | ||
73 | timeout => defined $args{timeout} ? $args{timeout} : 60, | ||
74 | keep_alive => 1, | ||
75 | - verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default | ||
76 | + verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), | ||
77 | no_proxy => $ENV{no_proxy}, | ||
78 | }; | ||
79 | |||
80 | @@ -134,6 +144,13 @@ sub new { | ||
81 | return $self; | ||
82 | } | ||
83 | |||
84 | +sub _verify_SSL_default { | ||
85 | + my ($self) = @_; | ||
86 | + # Check if insecure default certificate verification behaviour has been | ||
87 | + # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 | ||
88 | + return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; | ||
89 | +} | ||
90 | + | ||
91 | sub _set_proxies { | ||
92 | my ($self) = @_; | ||
93 | |||
94 | @@ -1055,7 +1072,7 @@ sub new { | ||
95 | timeout => 60, | ||
96 | max_line_size => 16384, | ||
97 | max_header_lines => 64, | ||
98 | - verify_SSL => 0, | ||
99 | + verify_SSL => HTTP::Tiny::_verify_SSL_default(), | ||
100 | SSL_options => {}, | ||
101 | %args | ||
102 | }, $class; | ||
103 | @@ -2043,11 +2060,11 @@ proxy | ||
104 | timeout | ||
105 | verify_SSL | ||
106 | |||
107 | -=head1 SSL SUPPORT | ||
108 | +=head1 TLS/SSL SUPPORT | ||
109 | |||
110 | Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or | ||
111 | greater and L<Net::SSLeay> 1.49 or greater are installed. An error will occur | ||
112 | -if new enough versions of these modules are not installed or if the SSL | ||
113 | +if new enough versions of these modules are not installed or if the TLS | ||
114 | encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function | ||
115 | that returns boolean to see if the required modules are installed. | ||
116 | |||
117 | @@ -2055,7 +2072,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC | ||
118 | command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself | ||
119 | requires C<https> to communicate. | ||
120 | |||
121 | -SSL provides two distinct capabilities: | ||
122 | +TLS/SSL provides two distinct capabilities: | ||
123 | |||
124 | =over 4 | ||
125 | |||
126 | @@ -2069,24 +2086,17 @@ Verification of server identity | ||
127 | |||
128 | =back | ||
129 | |||
130 | -B<By default, HTTP::Tiny does not verify server identity>. | ||
131 | - | ||
132 | -Server identity verification is controversial and potentially tricky because it | ||
133 | -depends on a (usually paid) third-party Certificate Authority (CA) trust model | ||
134 | -to validate a certificate as legitimate. This discriminates against servers | ||
135 | -with self-signed certificates or certificates signed by free, community-driven | ||
136 | -CA's such as L<CAcert.org|http://cacert.org>. | ||
137 | +B<By default, HTTP::Tiny verifies server identity>. | ||
138 | |||
139 | -By default, HTTP::Tiny does not make any assumptions about your trust model, | ||
140 | -threat level or risk tolerance. It just aims to give you an encrypted channel | ||
141 | -when you need one. | ||
142 | +This was changed in version 0.083 due to security concerns. The previous default | ||
143 | +behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> | ||
144 | +to 1. | ||
145 | |||
146 | -Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify | ||
147 | -that an SSL connection has a valid SSL certificate corresponding to the host | ||
148 | -name of the connection and that the SSL certificate has been verified by a CA. | ||
149 | -Assuming you trust the CA, this will protect against a L<man-in-the-middle | ||
150 | -attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are | ||
151 | -concerned about security, you should enable this option. | ||
152 | +Verification is done by checking that that the TLS/SSL connection has a valid | ||
153 | +certificate corresponding to the host name of the connection and that the | ||
154 | +certificate has been verified by a CA. Assuming you trust the CA, this will | ||
155 | +protect against L<machine-in-the-middle | ||
156 | +attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. | ||
157 | |||
158 | Certificate verification requires a file containing trusted CA certificates. | ||
159 | |||
160 | @@ -2094,9 +2104,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny | ||
161 | will try to find a CA certificate file in that location. | ||
162 | |||
163 | If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file | ||
164 | -included with it as a source of trusted CA's. (This means you trust Mozilla, | ||
165 | -the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the | ||
166 | -toolchain used to install it, and your operating system security, right?) | ||
167 | +included with it as a source of trusted CA's. | ||
168 | |||
169 | If that module is not available, then HTTP::Tiny will search several | ||
170 | system-specific default locations for a CA certificate file: | ||
171 | @@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file: | ||
172 | |||
173 | /etc/ssl/ca-bundle.pem | ||
174 | |||
175 | +=item * | ||
176 | + | ||
177 | +/etc/openssl/certs/ca-certificates.crt | ||
178 | + | ||
179 | +=item * | ||
180 | + | ||
181 | +/etc/ssl/cert.pem | ||
182 | + | ||
183 | +=item * | ||
184 | + | ||
185 | +/usr/local/share/certs/ca-root-nss.crt | ||
186 | + | ||
187 | +=item * | ||
188 | + | ||
189 | +/etc/pki/tls/cacert.pem | ||
190 | + | ||
191 | +=item * | ||
192 | + | ||
193 | +/etc/certs/ca-certificates.crt | ||
194 | + | ||
195 | =back | ||
196 | |||
197 | An error will be occur if C<verify_SSL> is true and no CA certificate file | ||
198 | is available. | ||
199 | |||
200 | -If you desire complete control over SSL connections, the C<SSL_options> attribute | ||
201 | -lets you provide a hash reference that will be passed through to | ||
202 | +If you desire complete control over TLS/SSL connections, the C<SSL_options> | ||
203 | +attribute lets you provide a hash reference that will be passed through to | ||
204 | C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For | ||
205 | example, to provide your own trusted CA file: | ||
206 | |||
207 | @@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file: | ||
208 | |||
209 | The C<SSL_options> attribute could also be used for such things as providing a | ||
210 | client certificate for authentication to a server or controlling the choice of | ||
211 | -cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for | ||
212 | +cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for | ||
213 | details. | ||
214 | |||
215 | =head1 PROXY SUPPORT | ||
216 | -- | ||
217 | 2.40.0 | ||
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch new file mode 100644 index 0000000000..45452be389 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From a22785783b17cbaa28afaee4a024d81a1903701d | ||
2 | From: Stig Palmquist <git@stig.io> | ||
3 | Date: Sun Jun 18 11:36:05 2023 +0200 | ||
4 | Subject: [PATCH] Fix incorrect env var name for verify_SSL default | ||
5 | |||
6 | The variable to override the verify_SSL default differed slightly in the | ||
7 | documentation from what was checked for in the code. | ||
8 | |||
9 | This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` | ||
10 | as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was | ||
11 | missing `SSL_` | ||
12 | |||
13 | CVE: CVE-2023-31486 | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d] | ||
16 | |||
17 | Signed-off-by: Soumya <soumya.sambu@windriver.com> | ||
18 | --- | ||
19 | cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
23 | index ebc34a1..65ac8ff 100644 | ||
24 | --- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
25 | +++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
26 | @@ -148,7 +148,7 @@ sub _verify_SSL_default { | ||
27 | my ($self) = @_; | ||
28 | # Check if insecure default certificate verification behaviour has been | ||
29 | # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 | ||
30 | - return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; | ||
31 | + return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; | ||
32 | } | ||
33 | |||
34 | sub _set_proxies { | ||
35 | -- | ||
36 | 2.40.0 | ||