poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch - openbmc/openbmc - Gitiles

 From 77f557ef84698efeb6eed04e4a9704eaf85b741d
 From: Stig Palmquist <git@stig.io>
 Date: Mon Jun 5 16:46:22 2023 +0200
 Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
  insecure default

 - Changes the `verify_SSL` default parameter from `0` to `1`

   Based on patch by Dominic Hargreaves:
   https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92

   CVE: CVE-2023-31486

 - Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
   enables the previous insecure default behaviour if set to `1`.

   This provides a workaround for users who encounter problems with the
   new `verify_SSL` default.

   Example to disable certificate checks:
   ```
     $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
   ```

 - Updates to documentation:
   - Describe changing the verify_SSL value
   - Describe the escape-hatch environment variable
   - Remove rationale for not enabling verify_SSL
   - Add missing certificate search paths
   - Replace "SSL" with "TLS/SSL" where appropriate
   - Use "machine-in-the-middle" instead of "man-in-the-middle"

 Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]

 Signed-off-by: Soumya <soumya.sambu@windriver.com>
 ---
  cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++-----------
  1 file changed, 57 insertions(+), 29 deletions(-)

 diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 index 83ca06d..ebc34a1 100644
 --- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 +++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 @@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
  #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open,
  #pod   read or write takes longer than the timeout, the request response status code
  #pod   will be 599.
 -#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL
 -#pod   certificate of an C<https> — connection (default is false)
 +#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL
 +#pod   certificate of an C<https> — connection (default is true). Changed from false
 +#pod   to true in version 0.083.
  #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to
  #pod   L<IO::Socket::SSL>
 +#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
 +#pod   certificate verification behavior to not check server identity if set to 1.
 +#pod   Only effective if C<verify_SSL> is not set. Added in version 0.083.
  #pod
  #pod An accessor/mutator method exists for each attribute.
  #pod
 @@ -111,11 +115,17 @@ sub timeout {
  sub new {
      my($class, %args) = @_;

 +    # Support lower case verify_ssl argument, but only if verify_SSL is not
 +    # true.
 +    if ( exists $args{verify_ssl} ) {
 +        $args{verify_SSL}  ||= $args{verify_ssl};
 +    }
 +
      my $self = {
          max_redirect => 5,
          timeout      => defined $args{timeout} ? $args{timeout} : 60,
          keep_alive   => 1,
 -        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
 +        verify_SSL   => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(),
          no_proxy     => $ENV{no_proxy},
      };

 @@ -134,6 +144,13 @@ sub new {
      return $self;
  }

 +sub _verify_SSL_default {
 +    my ($self) = @_;
 +    # Check if insecure default certificate verification behaviour has been
 +    # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
 +    return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
 +}
 +
  sub _set_proxies {
      my ($self) = @_;

 @@ -1055,7 +1072,7 @@ sub new {
          timeout          => 60,
          max_line_size    => 16384,
          max_header_lines => 64,
 -        verify_SSL       => 0,
 +        verify_SSL       => HTTP::Tiny::_verify_SSL_default(),
          SSL_options      => {},
          %args
      }, $class;
 @@ -2043,11 +2060,11 @@ proxy
  timeout
  verify_SSL

 -=head1 SSL SUPPORT
 +=head1 TLS/SSL SUPPORT

  Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or
  greater and L<Net::SSLeay> 1.49 or greater are installed. An error will occur
 -if new enough versions of these modules are not installed or if the SSL
 +if new enough versions of these modules are not installed or if the TLS
  encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function
  that returns boolean to see if the required modules are installed.

 @@ -2055,7 +2072,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC
  command (i.e. RFC 2817).  You may not proxy C<https> via a proxy that itself
  requires C<https> to communicate.

 -SSL provides two distinct capabilities:
 +TLS/SSL provides two distinct capabilities:

  =over 4

 @@ -2069,24 +2086,17 @@ Verification of server identity

  =back

 -B<By default, HTTP::Tiny does not verify server identity>.
 -
 -Server identity verification is controversial and potentially tricky because it
 -depends on a (usually paid) third-party Certificate Authority (CA) trust model
 -to validate a certificate as legitimate.  This discriminates against servers
 -with self-signed certificates or certificates signed by free, community-driven
 -CA's such as L<CAcert.org|http://cacert.org>.
 +B<By default, HTTP::Tiny verifies server identity>.

 -By default, HTTP::Tiny does not make any assumptions about your trust model,
 -threat level or risk tolerance.  It just aims to give you an encrypted channel
 -when you need one.
 +This was changed in version 0.083 due to security concerns. The previous default
 +behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}>
 +to 1.

 -Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify
 -that an SSL connection has a valid SSL certificate corresponding to the host
 -name of the connection and that the SSL certificate has been verified by a CA.
 -Assuming you trust the CA, this will protect against a L<man-in-the-middle
 -attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>.  If you are
 -concerned about security, you should enable this option.
 +Verification is done by checking that that the TLS/SSL connection has a valid
 +certificate corresponding to the host name of the connection and that the
 +certificate has been verified by a CA. Assuming you trust the CA, this will
 +protect against L<machine-in-the-middle
 +attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>.

  Certificate verification requires a file containing trusted CA certificates.

 @@ -2094,9 +2104,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny
  will try to find a CA certificate file in that location.

  If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file
 -included with it as a source of trusted CA's.  (This means you trust Mozilla,
 -the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the
 -toolchain used to install it, and your operating system security, right?)
 +included with it as a source of trusted CA's.

  If that module is not available, then HTTP::Tiny will search several
  system-specific default locations for a CA certificate file:
 @@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file:

  /etc/ssl/ca-bundle.pem

 +=item *
 +
 +/etc/openssl/certs/ca-certificates.crt
 +
 +=item *
 +
 +/etc/ssl/cert.pem
 +
 +=item *
 +
 +/usr/local/share/certs/ca-root-nss.crt
 +
 +=item *
 +
 +/etc/pki/tls/cacert.pem
 +
 +=item *
 +
 +/etc/certs/ca-certificates.crt
 +
  =back

  An error will be occur if C<verify_SSL> is true and no CA certificate file
  is available.

 -If you desire complete control over SSL connections, the C<SSL_options> attribute
 -lets you provide a hash reference that will be passed through to
 +If you desire complete control over TLS/SSL connections, the C<SSL_options>
 +attribute lets you provide a hash reference that will be passed through to
  C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For
  example, to provide your own trusted CA file:

 @@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file:

  The C<SSL_options> attribute could also be used for such things as providing a
  client certificate for authentication to a server or controlling the choice of
 -cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for
 +cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for
  details.

  =head1 PROXY SUPPORT
 --
 2.40.0
	From 77f557ef84698efeb6eed04e4a9704eaf85b741d
	From: Stig Palmquist <git@stig.io>
	Date: Mon Jun 5 16:46:22 2023 +0200
	Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
	insecure default

	- Changes the `verify_SSL` default parameter from `0` to `1`

	Based on patch by Dominic Hargreaves:
	https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92

	CVE: CVE-2023-31486

	- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
	enables the previous insecure default behaviour if set to `1`.

	This provides a workaround for users who encounter problems with the
	new `verify_SSL` default.

	Example to disable certificate checks:
	```
	$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
	```

	- Updates to documentation:
	- Describe changing the verify_SSL value
	- Describe the escape-hatch environment variable
	- Remove rationale for not enabling verify_SSL
	- Add missing certificate search paths
	- Replace "SSL" with "TLS/SSL" where appropriate
	- Use "machine-in-the-middle" instead of "man-in-the-middle"

	Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]

	Signed-off-by: Soumya <soumya.sambu@windriver.com>
	---
	cpan/HTTP-Tiny/lib/HTTP/Tiny.pm \| 86 ++++++++++++++++++++++-----------
	1 file changed, 57 insertions(+), 29 deletions(-)

	diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
	index 83ca06d..ebc34a1 100644
	--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
	+++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
	@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
	#pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open,
	#pod read or write takes longer than the timeout, the request response status code
	#pod will be 599.
	-#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL
	-#pod certificate of an C<https> — connection (default is false)
	+#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL
	+#pod certificate of an C<https> — connection (default is true). Changed from false
	+#pod to true in version 0.083.
	#pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to
	#pod L<IO::Socket::SSL>
	+#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
	+#pod certificate verification behavior to not check server identity if set to 1.
	+#pod Only effective if C<verify_SSL> is not set. Added in version 0.083.
	#pod
	#pod An accessor/mutator method exists for each attribute.
	#pod
	@@ -111,11 +115,17 @@ sub timeout {
	sub new {
	my($class, %args) = @_;

	+ # Support lower case verify_ssl argument, but only if verify_SSL is not
	+ # true.
	+ if ( exists $args{verify_ssl} ) {
	+ $args{verify_SSL} \|\|= $args{verify_ssl};
	+ }
	+
	my $self = {
	max_redirect => 5,
	timeout => defined $args{timeout} ? $args{timeout} : 60,
	keep_alive => 1,
	- verify_SSL => $args{verify_SSL} \|\| $args{verify_ssl} \|\| 0, # no verification by default
	+ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(),
	no_proxy => $ENV{no_proxy},
	};

	@@ -134,6 +144,13 @@ sub new {
	return $self;
	}

	+sub _verify_SSL_default {
	+ my ($self) = @_;
	+ # Check if insecure default certificate verification behaviour has been
	+ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
	+ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} \|\| '') eq '1') ? 0 : 1;
	+}
	+
	sub _set_proxies {
	my ($self) = @_;

	@@ -1055,7 +1072,7 @@ sub new {
	timeout => 60,
	max_line_size => 16384,
	max_header_lines => 64,
	- verify_SSL => 0,
	+ verify_SSL => HTTP::Tiny::_verify_SSL_default(),
	SSL_options => {},
	%args
	}, $class;
	@@ -2043,11 +2060,11 @@ proxy
	timeout
	verify_SSL

	-=head1 SSL SUPPORT
	+=head1 TLS/SSL SUPPORT

	Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or
	greater and L<Net::SSLeay> 1.49 or greater are installed. An error will occur
	-if new enough versions of these modules are not installed or if the SSL
	+if new enough versions of these modules are not installed or if the TLS
	encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function
	that returns boolean to see if the required modules are installed.

	@@ -2055,7 +2072,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC
	command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself
	requires C<https> to communicate.

	-SSL provides two distinct capabilities:
	+TLS/SSL provides two distinct capabilities:

	=over 4

	@@ -2069,24 +2086,17 @@ Verification of server identity

	=back

	-B<By default, HTTP::Tiny does not verify server identity>.
	-
	-Server identity verification is controversial and potentially tricky because it
	-depends on a (usually paid) third-party Certificate Authority (CA) trust model
	-to validate a certificate as legitimate. This discriminates against servers
	-with self-signed certificates or certificates signed by free, community-driven
	-CA's such as L<CAcert.org\|http://cacert.org>.
	+B<By default, HTTP::Tiny verifies server identity>.

	-By default, HTTP::Tiny does not make any assumptions about your trust model,
	-threat level or risk tolerance. It just aims to give you an encrypted channel
	-when you need one.
	+This was changed in version 0.083 due to security concerns. The previous default
	+behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}>
	+to 1.

	-Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify
	-that an SSL connection has a valid SSL certificate corresponding to the host
	-name of the connection and that the SSL certificate has been verified by a CA.
	-Assuming you trust the CA, this will protect against a L<man-in-the-middle
	-attack\|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are
	-concerned about security, you should enable this option.
	+Verification is done by checking that that the TLS/SSL connection has a valid
	+certificate corresponding to the host name of the connection and that the
	+certificate has been verified by a CA. Assuming you trust the CA, this will
	+protect against L<machine-in-the-middle
	+attacks\|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>.

	Certificate verification requires a file containing trusted CA certificates.

	@@ -2094,9 +2104,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny
	will try to find a CA certificate file in that location.

	If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file
	-included with it as a source of trusted CA's. (This means you trust Mozilla,
	-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the
	-toolchain used to install it, and your operating system security, right?)
	+included with it as a source of trusted CA's.

	If that module is not available, then HTTP::Tiny will search several
	system-specific default locations for a CA certificate file:
	@@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file:

	/etc/ssl/ca-bundle.pem

	+=item *
	+
	+/etc/openssl/certs/ca-certificates.crt
	+
	+=item *
	+
	+/etc/ssl/cert.pem
	+
	+=item *
	+
	+/usr/local/share/certs/ca-root-nss.crt
	+
	+=item *
	+
	+/etc/pki/tls/cacert.pem
	+
	+=item *
	+
	+/etc/certs/ca-certificates.crt
	+
	=back

	An error will be occur if C<verify_SSL> is true and no CA certificate file
	is available.

	-If you desire complete control over SSL connections, the C<SSL_options> attribute
	-lets you provide a hash reference that will be passed through to
	+If you desire complete control over TLS/SSL connections, the C<SSL_options>
	+attribute lets you provide a hash reference that will be passed through to
	C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For
	example, to provide your own trusted CA file:

	@@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file:

	The C<SSL_options> attribute could also be used for such things as providing a
	client certificate for authentication to a server or controlling the choice of
	-cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for
	+cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for
	details.

	=head1 PROXY SUPPORT
	--
	2.40.0