perl: patch for CVE-2023-31486 seems to be ineffective
Hi Alpine!
Just had a look at the HTTP-Tiny patch in d7dfdb99 for CVE-2023-31486
$ cd perl-5.36.1/
$ curl -s https://gitlab.alpinelinux.org/alpine/aports/-/raw/d7dfdb999b89775d1137b885bf659e7eb6af0076/main/perl/default-https-perl-http-tiny.patch | patch -p1
$ perl -Icpan/HTTP-Tiny/lib -MHTTP::Tiny -E '$t=HTTP::Tiny->new()->get("https://wrong.host.badssl.com/"); $t->{success} ? say "$t->{status} $t->{reason}" : die $t->{content};'
200 OK
The patch modifies the initial value of verify_SSL
in the HTTP::Tiny::Handle
class, but the change is ineffective as it is overridden by a default 0 value in the constructor on line 118:
verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
I suggest also patching the constructor:
diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
index 83ca06d18c..081a74b0cf 100644
--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
@@ -115,7 +115,7 @@ sub new {
max_redirect => 5,
timeout => defined $args{timeout} ? $args{timeout} : 60,
keep_alive => 1,
- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
+ verify_SSL => $args{verify_SSL} // $args{verify_ssl} // 1, # verification by default
no_proxy => $ENV{no_proxy},
};
@@ -1055,7 +1055,7 @@ sub new {
timeout => 60,
max_line_size => 16384,
max_header_lines => 64,
- verify_SSL => 0,
+ verify_SSL => 1,
SSL_options => {},
%args
}, $class;
With the patch above, requests to https://wrong.host.badssl.com/ fail as expected
$ cd perl-5.36.1/
$ patch -p1 < ~/perl-5.36.1-http-tiny-updated.patch
$ perl -Icpan/HTTP-Tiny/lib -MHTTP::Tiny -E '$t=HTTP::Tiny->new()->get("https://wrong.host.badssl.com/"); $t->{success} ? say "$t->{status} $t->{reason}" : die $t->{content};'
SSL connection failed for wrong.host.badssl.com: hostname verification failed
There is a new effort to bring this upstream with a patch that also provides an environment variable for users to force disable secure https as an escape hatch:
And, this patch was added to NixOS a while back:
Edited by Stig