From ce01aa37bfb1efc0fbed084af071531b2d3aa80c Mon Sep 17 00:00:00 2001 From: Soumya Date: Mon, 12 Jun 2023 03:47:36 +0000 Subject: perl: fix CVE-2023-31484 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. (From OE-Core rev: c87f6b088105676cd2e6216b1a9c62e7e754347c) Signed-off-by: Soumya Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- .../perl/files/CVE-2023-31484.patch | 29 ++++++++++++++++++++++ meta/recipes-devtools/perl/perl_5.36.1.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch (limited to 'meta/recipes-devtools/perl') diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch new file mode 100644 index 0000000000..9a9117c53a --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch @@ -0,0 +1,29 @@ +From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist +Date: Tue, 28 Feb 2023 11:54:06 +0100 +Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server + identity + +CVE: CVE-2023-31484 + +Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0] + +Signed-off-by: Soumya +--- + cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +index 4fc792c..a616fee 100644 +--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm ++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +@@ -32,6 +32,7 @@ sub mirror { + + my $want_proxy = $self->_want_proxy($uri); + my $http = HTTP::Tiny->new( ++ verify_SSL => 1, + $want_proxy ? (proxy => $self->{proxy}) : () + ); + +-- +2.40.0 diff --git a/meta/recipes-devtools/perl/perl_5.36.1.bb b/meta/recipes-devtools/perl/perl_5.36.1.bb index f7d66e6ed9..3db1d9c6ae 100644 --- a/meta/recipes-devtools/perl/perl_5.36.1.bb +++ b/meta/recipes-devtools/perl/perl_5.36.1.bb @@ -17,6 +17,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://0002-Constant-Fix-up-shebang.patch \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ + file://CVE-2023-31484.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ -- cgit v1.2.3-54-g00ecf