Bug#606390: Possible upload for libio-socket-ssl-perl to t-p-u?

[Salvatore Bonaccorso]

Hi Adam

On Wed, Dec 08, 2010 at 09:21:41PM +0000, Adam D. Barratt wrote:
> On Mon, 2010-12-06 at 13:38 +0100, Salvatore Bonaccorso wrote:
> > I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug
> > #606058 (http://bugs.debian.org/606058) (Severity normal, tagged
> > security). The change done by upstream is, that if the verify_mode is
> > not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid
> > then IO::Socket::SSL will not fall back to VERIFY_NONE but at least
> > throw an error to inform the user. The reasoning from upstream is:
> [...]
> > If you would agree on it, should I prepare an upload too for t-p-u for
> > it? The changes done by upstream are the following:
> 
> Please go ahead; thanks.

Prepared, by directly patching SSL.pm. Attached is the debdiff between
1.33-1 to 1.33-1+squeeze1. 

Fine with that?

Bests
Salvatore

diff -u libio-socket-ssl-perl-1.33/debian/control libio-socket-ssl-perl-1.33/debian/control
--- libio-socket-ssl-perl-1.33/debian/control
+++ libio-socket-ssl-perl-1.33/debian/control
@@ -5,7 +5,7 @@
 Uploaders: gregor herrmann <gre...@debian.org>,
  Ansgar Burchardt <ans...@43-1.org>, Rene Mayorga <rmayo...@debian.org>,
  Antonio Radici <anto...@dyne.org>,
- Salvatore Bonaccorso <salvatore.bonacco...@gmail.com>,
+ Salvatore Bonaccorso <car...@debian.org>,
  Angel Abad <angela...@gmail.com>
 Build-Depends: debhelper (>= 7)
 Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl,
diff -u libio-socket-ssl-perl-1.33/debian/copyright libio-socket-ssl-perl-1.33/debian/copyright
--- libio-socket-ssl-perl-1.33/debian/copyright
+++ libio-socket-ssl-perl-1.33/debian/copyright
@@ -19,7 +19,7 @@
  2008, Mark Hymers <m...@debian.org>
  2008, Rene Mayorga <rmayo...@debian.org.sv>
  2009, Antonio Radici <anto...@dyne.org>
- 2009, Salvatore Bonaccorso <salvatore.bonacco...@gmail.com>
+ 2009, Salvatore Bonaccorso <car...@debian.org>
  2010, Angel Abad <angela...@gmail.com>
 License: Artistic or GPL-1+
 
diff -u libio-socket-ssl-perl-1.33/debian/changelog libio-socket-ssl-perl-1.33/debian/changelog
--- libio-socket-ssl-perl-1.33/debian/changelog
+++ libio-socket-ssl-perl-1.33/debian/changelog
@@ -1,3 +1,12 @@
+libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low
+
+  * Change my email address.
+  * Patch SSL.pm to fix vulnerability with IO::Socket::SSL verify peer
+    mode which is ignored if no cert is supplied. This is CVE-2010-4334.
+    (Closes: #606058).
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 09 Dec 2010 10:56:23 +0100
+
 libio-socket-ssl-perl (1.33-1) unstable; urgency=low
 
   * New upstream release
@@ -303 +311,0 @@
-
only in patch2:
unchanged:
--- libio-socket-ssl-perl-1.33.orig/SSL.pm
+++ libio-socket-ssl-perl-1.33/SSL.pm
@@ -1370,12 +1370,7 @@
 	if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and 
 		! Net::SSLeay::CTX_load_verify_locations( 
 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
-		if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
-			carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
-			$verify_mode = Net::SSLeay::VERIFY_NONE();
-		} else {
-			return IO::Socket::SSL->error("Invalid certificate authority locations");
-		}
+		return IO::Socket::SSL->error("Invalid certificate authority locations");
 	}
 
 	if ($arg_hash->{'SSL_check_crl'}) {

signature.asc
Description: Digital signature