diff mbox series

perl: fix CVE-2023-31484

Message ID 20230605174616.2559077-1-soumya.sambu@windriver.com
State New
Headers show
Series perl: fix CVE-2023-31484 | expand

Commit Message

Sambu, Soumya June 5, 2023, 5:46 p.m. UTC 
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.

Signed-off-by: Soumya <soumya.sambu@windriver.com>
---
 .../perl/files/CVE-2023-31484.patch           | 29 +++++++++++++++++++
 meta/recipes-devtools/perl/perl_5.34.1.bb     |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

Comments

Richard Purdie June 6, 2023, 11:05 a.m. UTC | #1 
On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
> 
> Signed-off-by: Soumya <soumya.sambu@windriver.com>
> ---
>  .../perl/files/CVE-2023-31484.patch           | 29 +++++++++++++++++++
>  meta/recipes-devtools/perl/perl_5.34.1.bb     |  1 +
>  2 files changed, 30 insertions(+)
>  create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

Which release is this patch against?

Cheers,

Richard
Sambu, Soumya June 6, 2023, 11:38 a.m. UTC | #2 
This is for kirkstone branch. Attached is the updated patch.

Regards,
Soumya
Randy MacLeod June 6, 2023, 6:12 p.m. UTC | #3 
On 2023-06-06 07:38, Soumya via lists.openembedded.org wrote:
> This is for kirkstone branch. Attached is the updated patch.
>

Soumya,


We don't usually take patches as attachments since we
like to see the changes in email easily for review so

unless Steve makes an exception this time, please
resend following the workflow documented here:

https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded


See and read the section mentioning:

    git send-email  ... --subject-prefix="<BRANCH_NAME>][PATCH"


and the rest of the document and links therein.


../Randy





>
> Regards,
> Soumya
>
> ------------------------------------------------------------------------
> *From:* Richard Purdie <richard.purdie@linuxfoundation.org>
> *Sent:* Tuesday, June 6, 2023 4:35 PM
> *To:* Sambu, Soumya <Soumya.Sambu@windriver.com>; 
> openembedded-core@lists.openembedded.org 
> <openembedded-core@lists.openembedded.org>
> *Subject:* Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
> wrote:
> > CPAN.pm before 2.35 does not verify TLS certificates when downloading
> > distributions over HTTPS.
> >
> > Signed-off-by: Soumya <soumya.sambu@windriver.com>
> > ---
> >  .../perl/files/CVE-2023-31484.patch           | 29 +++++++++++++++++++
> >  meta/recipes-devtools/perl/perl_5.34.1.bb     |  1 +
> >  2 files changed, 30 insertions(+)
> >  create mode 100644 
> meta/recipes-devtools/perl/files/CVE-2023-31484.patch
>
> Which release is this patch against?
>
> Cheers,
>
> Richard
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182426):https://lists.openembedded.org/g/openembedded-core/message/182426
> Mute This Topic:https://lists.openembedded.org/mt/99345985/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub  [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Sambu, Soumya June 7, 2023, 5:57 a.m. UTC | #4 
Sorry for the typo/misled with attachment and I have already sent v2 patch with kirkstone branch mentioned - [oe-core][kirkstone][PATCH v2 1/1] perl: fix CVE-2023-31484<https://lore.kernel.org/openembedded-core/20230606092535.767943-1-soumya.sambu@windriver.com/>

Regards,
Soumya
diff mbox series

Patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@ 
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <git@stig.io>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+     my $want_proxy = $self->_want_proxy($uri);
+     my $http = HTTP::Tiny->new(
++        verify_SSL => 1,
+         $want_proxy ? (proxy => $self->{proxy}) : ()
+     );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb b/meta/recipes-devtools/perl/perl_5.34.1.bb
index 42bcb8b1bc..e0ee006e50 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -18,6 +18,7 @@  SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
            file://determinism.patch \
            file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
            file://0001-Fix-build-with-gcc-12.patch \
+           file://CVE-2023-31484.patch \
            "
 SRC_URI:append:class-native = " \
            file://perl-configpm-switch.patch \