Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
Sent v2 -
https://lore.kernel.org/openembedded-core/20230718030636.1418247-1-soumya.sa...@windriver.com/T/#u
Regards,
Soumya
From: Alexandre Belloni
Sent: Monday, July 17, 2023 7:14 PM
To: Sambu, Soumya
Cc: openembedded-core@lists.openembedded.org
; st...@sakoman.com
; G Pillai, Hari
Subject: Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
Hello,
you pressed y instead of enter when git asked you what wharset to use,
so the patch doesn't apply. Can you resend?
On 14/07/2023 03:25:10+, Soumya via lists.openembedded.org wrote:
> HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
> standalone on CPAN, has an insecure default TLS configuration where
> users must opt in to verify certificates.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-31486
>
> Upstream patches:
> https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
> https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d
>
> Signed-off-by: Soumya
> ---
> .../perl/files/CVE-2023-31486-0001.patch | 217 ++
> .../perl/files/CVE-2023-31486-0002.patch | 36 +++
> meta/recipes-devtools/perl/perl_5.36.1.bb | 2 +
> 3 files changed, 255 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> new file mode 100644
> index 00..1074e0848d
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> @@ -0,0 +1,217 @@
> +From 77f557ef84698efeb6eed04e4a9704eaf85b741d
> +From: Stig Palmquist
> +Date: Mon Jun 5 16:46:22 2023 +0200
> +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
> + insecure default
> +
> +- Changes the `verify_SSL` default parameter from `0` to `1`
> +
> + Based on patch by Dominic Hargreaves:
> +
> https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
> +
> + CVE: CVE-2023-31486
> +
> +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
> + enables the previous insecure default behaviour if set to `1`.
> +
> + This provides a workaround for users who encounter problems with the
> + new `verify_SSL` default.
> +
> + Example to disable certificate checks:
> + ```
> +$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
> + ```
> +
> +- Updates to documentation:
> + - Describe changing the verify_SSL value
> + - Describe the escape-hatch environment variable
> + - Remove rationale for not enabling verify_SSL
> + - Add missing certificate search paths
> + - Replace "SSL" with "TLS/SSL" where appropriate
> + - Use "machine-in-the-middle" instead of "man-in-the-middle"
> +
> +Upstream-Status: Backport
> [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
> +
> +Signed-off-by: Soumya
> +---
> + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
> + 1 file changed, 57 insertions(+), 29 deletions(-)
> +
> +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> +index 83ca06d..ebc34a1 100644
> +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
> + #pod * C — Request timeout in seconds (default is 60) If a socket
> open,
> + #pod read or write takes longer than the timeout, the request response
> status code
> + #pod will be 599.
> +-#pod * C — A boolean that indicates whether to validate the SSL
> +-#pod certificate of an C — connection (default is false)
> ++#pod * C — A boolean that indicates whether to validate the
> TLS/SSL
> ++#pod certificate of an C — connection (default is true). Changed
> from false
> ++#pod to true in version 0.083.
> + #pod * C — A hashref of C — options to pass through to
> + #pod L
> ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
> ++#pod certificate verification behavior to not check server identity if
> set to 1.
> ++#pod Only effective if C is not set. Added in version 0.083.
> + #pod
> + #pod An accessor/mutator method exists for each attribute.
> + #pod
> +@@ -111,11 +115,17 @@ sub timeout {
> + sub new {
> +
Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
Hello,
you pressed y instead of enter when git asked you what wharset to use,
so the patch doesn't apply. Can you resend?
On 14/07/2023 03:25:10+, Soumya via lists.openembedded.org wrote:
> HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
> standalone on CPAN, has an insecure default TLS configuration where
> users must opt in to verify certificates.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-31486
>
> Upstream patches:
> https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
> https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d
>
> Signed-off-by: Soumya
> ---
> .../perl/files/CVE-2023-31486-0001.patch | 217 ++
> .../perl/files/CVE-2023-31486-0002.patch | 36 +++
> meta/recipes-devtools/perl/perl_5.36.1.bb | 2 +
> 3 files changed, 255 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> new file mode 100644
> index 00..1074e0848d
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> @@ -0,0 +1,217 @@
> +From 77f557ef84698efeb6eed04e4a9704eaf85b741d
> +From: Stig Palmquist
> +Date: Mon Jun 5 16:46:22 2023 +0200
> +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
> + insecure default
> +
> +- Changes the `verify_SSL` default parameter from `0` to `1`
> +
> + Based on patch by Dominic Hargreaves:
> +
> https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
> +
> + CVE: CVE-2023-31486
> +
> +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
> + enables the previous insecure default behaviour if set to `1`.
> +
> + This provides a workaround for users who encounter problems with the
> + new `verify_SSL` default.
> +
> + Example to disable certificate checks:
> + ```
> +$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
> + ```
> +
> +- Updates to documentation:
> + - Describe changing the verify_SSL value
> + - Describe the escape-hatch environment variable
> + - Remove rationale for not enabling verify_SSL
> + - Add missing certificate search paths
> + - Replace "SSL" with "TLS/SSL" where appropriate
> + - Use "machine-in-the-middle" instead of "man-in-the-middle"
> +
> +Upstream-Status: Backport
> [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
> +
> +Signed-off-by: Soumya
> +---
> + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
> + 1 file changed, 57 insertions(+), 29 deletions(-)
> +
> +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> +index 83ca06d..ebc34a1 100644
> +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
> + #pod * C — Request timeout in seconds (default is 60) If a socket
> open,
> + #pod read or write takes longer than the timeout, the request response
> status code
> + #pod will be 599.
> +-#pod * C — A boolean that indicates whether to validate the SSL
> +-#pod certificate of an C — connection (default is false)
> ++#pod * C — A boolean that indicates whether to validate the
> TLS/SSL
> ++#pod certificate of an C — connection (default is true). Changed
> from false
> ++#pod to true in version 0.083.
> + #pod * C — A hashref of C — options to pass through to
> + #pod L
> ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
> ++#pod certificate verification behavior to not check server identity if
> set to 1.
> ++#pod Only effective if C is not set. Added in version 0.083.
> + #pod
> + #pod An accessor/mutator method exists for each attribute.
> + #pod
> +@@ -111,11 +115,17 @@ sub timeout {
> + sub new {
> + my($class, %args) = @_;
> +
> ++# Support lower case verify_ssl argument, but only if verify_SSL is not
> ++# true.
> ++if ( exists $args{verify_ssl} ) {
> ++$args{verify_SSL} ||= $args{verify_ssl};
> ++}
> ++
> + my $self = {
> + max_redirect => 5,
> + timeout => defined $args{timeout} ? $args{timeout} : 60,
> + keep_alive => 1,
> +-verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no
> verification by default
> ++verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} :
> _verify_SSL_default(),
> + no_proxy => $ENV{no_proxy},
> + };
> +
> +@@ -134,6 +144,13 @@ sub new {
> + return $self;
> + }
> +
> ++sub _verify_SSL_default {
> ++my ($self) = @_;
> ++# Check if insecure default certificate verification behaviour has been
> ++# changed by the user by s
[oe-core][PATCH 1/1] perl: Fix CVE-2023-31486
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486
Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d
Signed-off-by: Soumya
---
.../perl/files/CVE-2023-31486-0001.patch | 217 ++
.../perl/files/CVE-2023-31486-0002.patch | 36 +++
meta/recipes-devtools/perl/perl_5.36.1.bb | 2 +
3 files changed, 255 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 00..1074e0848d
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,217 @@
+From 77f557ef84698efeb6eed04e4a9704eaf85b741d
+From: Stig Palmquist
+Date: Mon Jun 5 16:46:22 2023 +0200
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default
+
+- Changes the `verify_SSL` default parameter from `0` to `1`
+
+ Based on patch by Dominic Hargreaves:
+
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+ CVE: CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+ enables the previous insecure default behaviour if set to `1`.
+
+ This provides a workaround for users who encounter problems with the
+ new `verify_SSL` default.
+
+ Example to disable certificate checks:
+ ```
+$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+ ```
+
+- Updates to documentation:
+ - Describe changing the verify_SSL value
+ - Describe the escape-hatch environment variable
+ - Remove rationale for not enabling verify_SSL
+ - Add missing certificate search paths
+ - Replace "SSL" with "TLS/SSL" where appropriate
+ - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport
[https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 83ca06d..ebc34a1 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod * C ??? Request timeout in seconds (default is 60) If a socket
open,
+ #pod read or write takes longer than the timeout, the request response
status code
+ #pod will be 599.
+-#pod * C ??? A boolean that indicates whether to validate the SSL
+-#pod certificate of an C ??? connection (default is false)
++#pod * C ??? A boolean that indicates whether to validate the
TLS/SSL
++#pod certificate of an C ??? connection (default is true). Changed
from false
++#pod to true in version 0.083.
+ #pod * C ??? A hashref of C ??? options to pass through to
+ #pod L
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod certificate verification behavior to not check server identity if set
to 1.
++#pod Only effective if C is not set. Added in version 0.083.
+ #pod
+ #pod An accessor/mutator method exists for each attribute.
+ #pod
+@@ -111,11 +115,17 @@ sub timeout {
+ sub new {
+ my($class, %args) = @_;
+
++# Support lower case verify_ssl argument, but only if verify_SSL is not
++# true.
++if ( exists $args{verify_ssl} ) {
++$args{verify_SSL} ||= $args{verify_ssl};
++}
++
+ my $self = {
+ max_redirect => 5,
+ timeout => defined $args{timeout} ? $args{timeout} : 60,
+ keep_alive => 1,
+-verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no
verification by default
++verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} :
_verify_SSL_default(),
+ no_proxy => $ENV{no_proxy},
+ };
+
+@@ -134,6 +144,13 @@ sub new {
+ return $self;
+ }
+
++sub _verify_SSL_default {
++my ($self) = @_;
++# Check if insecure default certificate verification behaviour has been
++# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
++return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++}
++
+ sub _set_proxies {
+ my ($self) = @_;
+
+@@ -1055,7 +1072,7 @@ sub new {
+ timeout => 60,
+ max_line_size=> 16384,
+ max_header_lines => 64,
+-verify_SSL => 0,
++verify_SSL => HTTP::Tiny::_verify_SSL_default(),
+ SSL
