509666 – (CVE-2014-3230) =dev-perl/LWP-Protocol-https-6.60.0: incorrect handling of SSL certificate verification (CVE-2014-3230)

Bug 509666 (CVE-2014-3230) - =dev-perl/LWP-Protocol-https-6.60.0: incorrect handling of SSL certificate verification (CVE-2014-3230)

Summary: =dev-perl/LWP-Protocol-https-6.60.0: incorrect handling of SSL certificate ve...

Status:	RESOLVED FIXED

Alias:	CVE-2014-3230

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-05-06 07:36 UTC by Agostino Sarubbo
Modified:	2023-07-09 23:02 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-05-06 07:36:17 UTC

From ${URL} :

It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification.  Judging by the commit [2], the intention was to disable only hostname 
verification for compatibility with Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0.  This code was introduced in LWP::Protocol::https in version 6.04, so earlier versions are not vulnerable.

Potential patches [3],[4] are being discussed upstream [5].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
[2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8
[3] https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25ed35d7dfb3bb5b334d
[4] https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d853de37a62e26bf6fe
[5] https://github.com/libwww-perl/lwp-protocol-https/pull/14


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Andreas K. Hüttel archtester

2014-10-26 22:37:36 UTC

This is in a different package, namely dev-perl/LWP-Protocol-https

Comment 2 Andreas K. Hüttel archtester

2014-10-26 22:43:07 UTC

Stable dev-perl/LWP-Protocol-https-6.3.0-r1 is (according to RH bug) not affected. 

Upstream has released several new versions since 6.40.0, but they do not contain the RH patches; this code section is unmodified.

Comment 3 Andreas K. Hüttel archtester

2014-10-26 23:10:55 UTC

Version bump dev-perl/LWP-Protocol-https-6.60.0 added with a patch addressing this issue. 

Affected version dev-perl/LWP-Protocol-https-6.40.0 removed. 

Stable is not affected.

Comment 4 Agostino Sarubbo gentoo-dev

2014-10-27 11:04:01 UTC

Closing as noglsa.

Comment 5 Larry the Git Cow gentoo-dev

2023-07-09 23:02:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ac7abfe1692a264f7fbb2446fdc161eb50d766d

commit 0ac7abfe1692a264f7fbb2446fdc161eb50d766d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-09 22:58:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-09 23:01:51 +0000

    dev-perl/LWP-Protocol-https: add 6.110.0
    
    Bug: https://bugs.gentoo.org/358081
    Bug: https://bugs.gentoo.org/509666
    Signed-off-by: Sam James <sam@gentoo.org>

 .../LWP-Protocol-https-6.110.0.ebuild              | 28 ++++++++++++++++++++++
 dev-perl/LWP-Protocol-https/Manifest               |  1 +
 2 files changed, 29 insertions(+)