Package: opam Version: 1.2.2-4.1 Severity: grave Tags: patch security Justification: user security hole
Dear Maintainer, Currently opam forces curl/wget to not check the certificate, allowing a MITM to inject arbitrary code to users using opam, which eventually will likely be run by them. This has been fixed upstream: https://github.com/ocaml/opam/commit/3d43295df3bb9e67e60801d319bf82c2c8a84d24 I have backported the patch to the current version of opam in Debian; see the attached file. I've also built this myself: https://people.debian.org/~infinity0/apt/pool/contrib/o/opam and installed it, ran it, and checked that things still work. X -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages opam depends on: ii build-essential 11.7 ii curl 7.47.0-1 ii libbz2-1.0 1.0.6-8 ii libc6 2.21-9 ii opam-docs 1.2.2-4.1 ii tar 1.28-2.1 ii unzip 6.0-20 ii wget 1.17.1-1+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages opam recommends: ii aspcud 1:1.9.1-2 ii darcs 2.10.2-1 ii git 1:2.7.0-1 ii mercurial 3.5.2-2 ii ocaml 4.02.3-6 ii rsync 3.1.1-3 opam suggests no packages. -- no debconf information
Description: remove insecure / no-check-certificate flags (see mail on opam-devel, #55 #2006) Author: Hannes Mehnert <han...@mehnert.org> Applied-Upstream: 3d43295df3bb9e67e60801d319bf82c2c8a84d24 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/src/core/opamSystem.ml +++ b/src/core/opamSystem.ml @@ -694,7 +694,7 @@ let retry = string_of_int OpamGlobals.download_retry in let wget ~compress:_ ?checksum:_ dir src = let wget_args = [ - "--content-disposition"; "--no-check-certificate"; + "--content-disposition"; "-t"; retry; src ] in @@ -704,7 +704,7 @@ in let curl command ~compress ?checksum:_ dir src = let curl_args = [ - "--write-out"; "%{http_code}\\n"; "--insecure"; + "--write-out"; "%{http_code}\\n"; "--retry"; retry; "--retry-delay"; "2"; ] @ (if compress then ["--compressed"] else []) @ [ "-OL"; src