* [PATCH] perl: fix CVE-2023-31484
@ 2023-06-05 17:46 Soumya
2023-06-06 11:05 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Soumya @ 2023-06-05 17:46 UTC (permalink / raw)
To: openembedded-core; +Cc: Soumya
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.
Signed-off-by: Soumya <soumya.sambu@windriver.com>
---
.../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <git@stig.io>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++ verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb b/meta/recipes-devtools/perl/perl_5.34.1.bb
index 42bcb8b1bc..e0ee006e50 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://determinism.patch \
file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
+ file://CVE-2023-31484.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
2023-06-05 17:46 [PATCH] perl: fix CVE-2023-31484 Soumya
@ 2023-06-06 11:05 ` Richard Purdie
2023-06-06 11:38 ` Sambu, Soumya
0 siblings, 1 reply; 5+ messages in thread
From: Richard Purdie @ 2023-06-06 11:05 UTC (permalink / raw)
To: soumya.sambu, openembedded-core
On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
>
> Signed-off-by: Soumya <soumya.sambu@windriver.com>
> ---
> .../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
> 2 files changed, 30 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
Which release is this patch against?
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
2023-06-06 11:05 ` [OE-core] " Richard Purdie
@ 2023-06-06 11:38 ` Sambu, Soumya
2023-06-06 18:12 ` Randy MacLeod
0 siblings, 1 reply; 5+ messages in thread
From: Sambu, Soumya @ 2023-06-06 11:38 UTC (permalink / raw)
To: Richard Purdie, openembedded-core
[-- Attachment #1.1: Type: text/plain, Size: 1127 bytes --]
This is for kirkstone branch. Attached is the updated patch.
Regards,
Soumya
________________________________
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Sent: Tuesday, June 6, 2023 4:35 PM
To: Sambu, Soumya <Soumya.Sambu@windriver.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
>
> Signed-off-by: Soumya <soumya.sambu@windriver.com>
> ---
> .../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
> 2 files changed, 30 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
Which release is this patch against?
Cheers,
Richard
[-- Attachment #1.2: Type: text/html, Size: 2215 bytes --]
[-- Attachment #2: Type: message/rfc822, Size: 14440 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 2222 bytes --]
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.
Signed-off-by: Soumya <soumya.sambu@windriver.com>
---
.../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <git@stig.io>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++ verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb b/meta/recipes-devtools/perl/perl_5.34.1.bb
index af4660091b..1fa8482bcd 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
file://CVE-2023-31486.patch \
+ file://CVE-2023-31484.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
--
2.40.0
[-- Attachment #2.1.2: Type: text/plain, Size: 433 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182417): https://lists.openembedded.org/g/openembedded-core/message/182417
Mute This Topic: https://lists.openembedded.org/mt/99359707/7320427
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [soumya.sambu@windriver.com]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
2023-06-06 11:38 ` Sambu, Soumya
@ 2023-06-06 18:12 ` Randy MacLeod
2023-06-07 5:57 ` Sambu, Soumya
0 siblings, 1 reply; 5+ messages in thread
From: Randy MacLeod @ 2023-06-06 18:12 UTC (permalink / raw)
To: soumya.sambu, Richard Purdie, openembedded-core, steve
Cc: Polampalli, Archana
[-- Attachment #1: Type: text/plain, Size: 2309 bytes --]
On 2023-06-06 07:38, Soumya via lists.openembedded.org wrote:
> This is for kirkstone branch. Attached is the updated patch.
>
Soumya,
We don't usually take patches as attachments since we
like to see the changes in email easily for review so
unless Steve makes an exception this time, please
resend following the workflow documented here:
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
See and read the section mentioning:
git send-email ... --subject-prefix="<BRANCH_NAME>][PATCH"
and the rest of the document and links therein.
../Randy
>
> Regards,
> Soumya
>
> ------------------------------------------------------------------------
> *From:* Richard Purdie <richard.purdie@linuxfoundation.org>
> *Sent:* Tuesday, June 6, 2023 4:35 PM
> *To:* Sambu, Soumya <Soumya.Sambu@windriver.com>;
> openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org>
> *Subject:* Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
> On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
> wrote:
> > CPAN.pm before 2.35 does not verify TLS certificates when downloading
> > distributions over HTTPS.
> >
> > Signed-off-by: Soumya <soumya.sambu@windriver.com>
> > ---
> > .../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
> > meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
> > 2 files changed, 30 insertions(+)
> > create mode 100644
> meta/recipes-devtools/perl/files/CVE-2023-31484.patch
>
> Which release is this patch against?
>
> Cheers,
>
> Richard
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182426):https://lists.openembedded.org/g/openembedded-core/message/182426
> Mute This Topic:https://lists.openembedded.org/mt/99345985/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 5666 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
2023-06-06 18:12 ` Randy MacLeod
@ 2023-06-07 5:57 ` Sambu, Soumya
0 siblings, 0 replies; 5+ messages in thread
From: Sambu, Soumya @ 2023-06-07 5:57 UTC (permalink / raw)
To: MacLeod, Randy, Richard Purdie, openembedded-core, steve
Cc: Polampalli, Archana
[-- Attachment #1: Type: text/plain, Size: 3234 bytes --]
Sorry for the typo/misled with attachment and I have already sent v2 patch with kirkstone branch mentioned - [oe-core][kirkstone][PATCH v2 1/1] perl: fix CVE-2023-31484<https://lore.kernel.org/openembedded-core/20230606092535.767943-1-soumya.sambu@windriver.com/>
Regards,
Soumya
________________________________
From: MacLeod, Randy <Randy.MacLeod@windriver.com>
Sent: Tuesday, June 6, 2023 11:42 PM
To: Sambu, Soumya <Soumya.Sambu@windriver.com>; Richard Purdie <richard.purdie@linuxfoundation.org>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; steve@sakoman.com <steve@sakoman.com>
Cc: Polampalli, Archana <Archana.Polampalli@windriver.com>
Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
On 2023-06-06 07:38, Soumya via lists.openembedded.org wrote:
This is for kirkstone branch. Attached is the updated patch.
Soumya,
We don't usually take patches as attachments since we
like to see the changes in email easily for review so
unless Steve makes an exception this time, please
resend following the workflow documented here:
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
See and read the section mentioning:
git send-email ... --subject-prefix="<BRANCH_NAME>][PATCH"
and the rest of the document and links therein.
../Randy
Regards,
Soumya
________________________________
From: Richard Purdie <richard.purdie@linuxfoundation.org><mailto:richard.purdie@linuxfoundation.org>
Sent: Tuesday, June 6, 2023 4:35 PM
To: Sambu, Soumya <Soumya.Sambu@windriver.com><mailto:Soumya.Sambu@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
>
> Signed-off-by: Soumya <soumya.sambu@windriver.com><mailto:soumya.sambu@windriver.com>
> ---
> .../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
> 2 files changed, 30 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
Which release is this patch against?
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182426): https://lists.openembedded.org/g/openembedded-core/message/182426
Mute This Topic: https://lists.openembedded.org/mt/99345985/3616765
Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core+owner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>]
-=-=-=-=-=-=-=-=-=-=-=-
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 6870 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-06-07 5:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-05 17:46 [PATCH] perl: fix CVE-2023-31484 Soumya
2023-06-06 11:05 ` [OE-core] " Richard Purdie
2023-06-06 11:38 ` Sambu, Soumya
2023-06-06 18:12 ` Randy MacLeod
2023-06-07 5:57 ` Sambu, Soumya
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).