Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
Sent v2 - https://lore.kernel.org/openembedded-core/20230718030636.1418247-1-soumya.sa...@windriver.com/T/#u Regards, Soumya From: Alexandre Belloni Sent: Monday, July 17, 2023 7:14 PM To: Sambu, Soumya Cc: openembedded-core@lists.openembedded.org ; st...@sakoman.com ; G Pillai, Hari Subject: Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello, you pressed y instead of enter when git asked you what wharset to use, so the patch doesn't apply. Can you resend? On 14/07/2023 03:25:10+, Soumya via lists.openembedded.org wrote: > HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available > standalone on CPAN, has an insecure default TLS configuration where > users must opt in to verify certificates. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-31486 > > Upstream patches: > https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d > https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d > > Signed-off-by: Soumya > --- > .../perl/files/CVE-2023-31486-0001.patch | 217 ++ > .../perl/files/CVE-2023-31486-0002.patch | 36 +++ > meta/recipes-devtools/perl/perl_5.36.1.bb | 2 + > 3 files changed, 255 insertions(+) > create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch > > diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > new file mode 100644 > index 00..1074e0848d > --- /dev/null > +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > @@ -0,0 +1,217 @@ > +From 77f557ef84698efeb6eed04e4a9704eaf85b741d > +From: Stig Palmquist > +Date: Mon Jun 5 16:46:22 2023 +0200 > +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable > + insecure default > + > +- Changes the `verify_SSL` default parameter from `0` to `1` > + > + Based on patch by Dominic Hargreaves: > + > https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 > + > + CVE: CVE-2023-31486 > + > +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that > + enables the previous insecure default behaviour if set to `1`. > + > + This provides a workaround for users who encounter problems with the > + new `verify_SSL` default. > + > + Example to disable certificate checks: > + ``` > +$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl > + ``` > + > +- Updates to documentation: > + - Describe changing the verify_SSL value > + - Describe the escape-hatch environment variable > + - Remove rationale for not enabling verify_SSL > + - Add missing certificate search paths > + - Replace "SSL" with "TLS/SSL" where appropriate > + - Use "machine-in-the-middle" instead of "man-in-the-middle" > + > +Upstream-Status: Backport > [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] > + > +Signed-off-by: Soumya > +--- > + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++--- > + 1 file changed, 57 insertions(+), 29 deletions(-) > + > +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > +index 83ca06d..ebc34a1 100644 > +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } > + #pod * C — Request timeout in seconds (default is 60) If a socket > open, > + #pod read or write takes longer than the timeout, the request response > status code > + #pod will be 599. > +-#pod * C — A boolean that indicates whether to validate the SSL > +-#pod certificate of an C — connection (default is false) > ++#pod * C — A boolean that indicates whether to validate the > TLS/SSL > ++#pod certificate of an C — connection (default is true). Changed > from false > ++#pod to true in version 0.083. > + #pod * C — A hashref of C — options to pass through to > + #pod L > ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default > ++#pod certificate verification behavior to not check server identity if > set to 1. > ++#pod Only effective if C is not set. Added in version 0.083. > + #pod > + #pod An accessor/mutator method exists for each attribute. > + #pod > +@@ -111,11 +115,17 @@ sub timeout { > + sub new { > +
Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
Hello, you pressed y instead of enter when git asked you what wharset to use, so the patch doesn't apply. Can you resend? On 14/07/2023 03:25:10+, Soumya via lists.openembedded.org wrote: > HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available > standalone on CPAN, has an insecure default TLS configuration where > users must opt in to verify certificates. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-31486 > > Upstream patches: > https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d > https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d > > Signed-off-by: Soumya > --- > .../perl/files/CVE-2023-31486-0001.patch | 217 ++ > .../perl/files/CVE-2023-31486-0002.patch | 36 +++ > meta/recipes-devtools/perl/perl_5.36.1.bb | 2 + > 3 files changed, 255 insertions(+) > create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch > > diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > new file mode 100644 > index 00..1074e0848d > --- /dev/null > +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch > @@ -0,0 +1,217 @@ > +From 77f557ef84698efeb6eed04e4a9704eaf85b741d > +From: Stig Palmquist > +Date: Mon Jun 5 16:46:22 2023 +0200 > +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable > + insecure default > + > +- Changes the `verify_SSL` default parameter from `0` to `1` > + > + Based on patch by Dominic Hargreaves: > + > https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 > + > + CVE: CVE-2023-31486 > + > +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that > + enables the previous insecure default behaviour if set to `1`. > + > + This provides a workaround for users who encounter problems with the > + new `verify_SSL` default. > + > + Example to disable certificate checks: > + ``` > +$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl > + ``` > + > +- Updates to documentation: > + - Describe changing the verify_SSL value > + - Describe the escape-hatch environment variable > + - Remove rationale for not enabling verify_SSL > + - Add missing certificate search paths > + - Replace "SSL" with "TLS/SSL" where appropriate > + - Use "machine-in-the-middle" instead of "man-in-the-middle" > + > +Upstream-Status: Backport > [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] > + > +Signed-off-by: Soumya > +--- > + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++--- > + 1 file changed, 57 insertions(+), 29 deletions(-) > + > +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > +index 83ca06d..ebc34a1 100644 > +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm > +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } > + #pod * C — Request timeout in seconds (default is 60) If a socket > open, > + #pod read or write takes longer than the timeout, the request response > status code > + #pod will be 599. > +-#pod * C — A boolean that indicates whether to validate the SSL > +-#pod certificate of an C — connection (default is false) > ++#pod * C — A boolean that indicates whether to validate the > TLS/SSL > ++#pod certificate of an C — connection (default is true). Changed > from false > ++#pod to true in version 0.083. > + #pod * C — A hashref of C — options to pass through to > + #pod L > ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default > ++#pod certificate verification behavior to not check server identity if > set to 1. > ++#pod Only effective if C is not set. Added in version 0.083. > + #pod > + #pod An accessor/mutator method exists for each attribute. > + #pod > +@@ -111,11 +115,17 @@ sub timeout { > + sub new { > + my($class, %args) = @_; > + > ++# Support lower case verify_ssl argument, but only if verify_SSL is not > ++# true. > ++if ( exists $args{verify_ssl} ) { > ++$args{verify_SSL} ||= $args{verify_ssl}; > ++} > ++ > + my $self = { > + max_redirect => 5, > + timeout => defined $args{timeout} ? $args{timeout} : 60, > + keep_alive => 1, > +-verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no > verification by default > ++verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : > _verify_SSL_default(), > + no_proxy => $ENV{no_proxy}, > + }; > + > +@@ -134,6 +144,13 @@ sub new { > + return $self; > + } > + > ++sub _verify_SSL_default { > ++my ($self) = @_; > ++# Check if insecure default certificate verification behaviour has been > ++# changed by the user by s
[oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31486 Upstream patches: https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d Signed-off-by: Soumya --- .../perl/files/CVE-2023-31486-0001.patch | 217 ++ .../perl/files/CVE-2023-31486-0002.patch | 36 +++ meta/recipes-devtools/perl/perl_5.36.1.bb | 2 + 3 files changed, 255 insertions(+) create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch new file mode 100644 index 00..1074e0848d --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch @@ -0,0 +1,217 @@ +From 77f557ef84698efeb6eed04e4a9704eaf85b741d +From: Stig Palmquist +Date: Mon Jun 5 16:46:22 2023 +0200 +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable + insecure default + +- Changes the `verify_SSL` default parameter from `0` to `1` + + Based on patch by Dominic Hargreaves: + https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 + + CVE: CVE-2023-31486 + +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that + enables the previous insecure default behaviour if set to `1`. + + This provides a workaround for users who encounter problems with the + new `verify_SSL` default. + + Example to disable certificate checks: + ``` +$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl + ``` + +- Updates to documentation: + - Describe changing the verify_SSL value + - Describe the escape-hatch environment variable + - Remove rationale for not enabling verify_SSL + - Add missing certificate search paths + - Replace "SSL" with "TLS/SSL" where appropriate + - Use "machine-in-the-middle" instead of "man-in-the-middle" + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] + +Signed-off-by: Soumya +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++--- + 1 file changed, 57 insertions(+), 29 deletions(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index 83ca06d..ebc34a1 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } + #pod * C ??? Request timeout in seconds (default is 60) If a socket open, + #pod read or write takes longer than the timeout, the request response status code + #pod will be 599. +-#pod * C ??? A boolean that indicates whether to validate the SSL +-#pod certificate of an C ??? connection (default is false) ++#pod * C ??? A boolean that indicates whether to validate the TLS/SSL ++#pod certificate of an C ??? connection (default is true). Changed from false ++#pod to true in version 0.083. + #pod * C ??? A hashref of C ??? options to pass through to + #pod L ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default ++#pod certificate verification behavior to not check server identity if set to 1. ++#pod Only effective if C is not set. Added in version 0.083. + #pod + #pod An accessor/mutator method exists for each attribute. + #pod +@@ -111,11 +115,17 @@ sub timeout { + sub new { + my($class, %args) = @_; + ++# Support lower case verify_ssl argument, but only if verify_SSL is not ++# true. ++if ( exists $args{verify_ssl} ) { ++$args{verify_SSL} ||= $args{verify_ssl}; ++} ++ + my $self = { + max_redirect => 5, + timeout => defined $args{timeout} ? $args{timeout} : 60, + keep_alive => 1, +-verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default ++verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), + no_proxy => $ENV{no_proxy}, + }; + +@@ -134,6 +144,13 @@ sub new { + return $self; + } + ++sub _verify_SSL_default { ++my ($self) = @_; ++# Check if insecure default certificate verification behaviour has been ++# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ++return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++} ++ + sub _set_proxies { + my ($self) = @_; + +@@ -1055,7 +1072,7 @@ sub new { + timeout => 60, + max_line_size=> 16384, + max_header_lines => 64, +-verify_SSL => 0, ++verify_SSL => HTTP::Tiny::_verify_SSL_default(), + SSL