Processed: Re: Bug#883292: jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
Processing control commands: > tags -1 + pending Bug #883292 [release.debian.org] jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3 Added tag(s) pending. -- 883292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883292 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#883292: jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
Control: tags -1 + pending On Fri, 2017-12-01 at 23:50 +0100, Salvatore Bonaccorso wrote: > Hello Adam, > > On Fri, Dec 01, 2017 at 08:28:47PM +, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Fri, 2017-12-01 at 20:47 +0100, Salvatore Bonaccorso wrote: > > > I know the window for the upcoming point release is this weekend, > > > so > > > this one might not made it in time. It was reported that the > > > version > > > in jessie of libio-socket-ssl-perl might segfault when using > > > malformed > > > client certificates, cf. #881711. > > > > > > For jessie this issue is open, and the reporter confirmed that > > > the > > > patch fixes the issue there, so I cherry-picket the change for > > > jessie. > > > > > > Attached resulted debdiff, would it be fine to include it in this > > > (or > > > any further point release)? > > > > > > > Please go ahead. > > Thank you, just uploaded. > Flagged for acceptance. Regards, Adam
Bug#883292: jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
Hello Adam, On Fri, Dec 01, 2017 at 08:28:47PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2017-12-01 at 20:47 +0100, Salvatore Bonaccorso wrote: > > I know the window for the upcoming point release is this weekend, so > > this one might not made it in time. It was reported that the version > > in jessie of libio-socket-ssl-perl might segfault when using > > malformed > > client certificates, cf. #881711. > > > > For jessie this issue is open, and the reporter confirmed that the > > patch fixes the issue there, so I cherry-picket the change for > > jessie. > > > > Attached resulted debdiff, would it be fine to include it in this (or > > any further point release)? > > > > Please go ahead. Thank you, just uploaded. Regards, Salvatore
Processed: Re: Bug#883292: jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
Processing control commands: > tags -1 + confirmed Bug #883292 [release.debian.org] jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3 Added tag(s) confirmed. -- 883292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883292 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#883292: jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
Control: tags -1 + confirmed On Fri, 2017-12-01 at 20:47 +0100, Salvatore Bonaccorso wrote: > I know the window for the upcoming point release is this weekend, so > this one might not made it in time. It was reported that the version > in jessie of libio-socket-ssl-perl might segfault when using > malformed > client certificates, cf. #881711. > > For jessie this issue is open, and the reporter confirmed that the > patch fixes the issue there, so I cherry-picket the change for > jessie. > > Attached resulted debdiff, would it be fine to include it in this (or > any further point release)? > Please go ahead. Regards, Adam
Bug#883292: jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi SRM I know the window for the upcoming point release is this weekend, so this one might not made it in time. It was reported that the version in jessie of libio-socket-ssl-perl might segfault when using malformed client certificates, cf. #881711. For jessie this issue is open, and the reporter confirmed that the patch fixes the issue there, so I cherry-picket the change for jessie. Attached resulted debdiff, would it be fine to include it in this (or any further point release)? Regards, Salvatore diff -Nru libio-socket-ssl-perl-2.002/debian/changelog libio-socket-ssl-perl-2.002/debian/changelog --- libio-socket-ssl-perl-2.002/debian/changelog2016-10-08 17:26:51.0 +0200 +++ libio-socket-ssl-perl-2.002/debian/changelog2017-12-01 20:40:51.0 +0100 @@ -1,3 +1,9 @@ +libio-socket-ssl-perl (2.002-2+deb8u3) jessie; urgency=medium + + * Fix segfault using malformed client certificates (Closes: #881711) + + -- Salvatore BonaccorsoFri, 01 Dec 2017 20:40:51 +0100 + libio-socket-ssl-perl (2.002-2+deb8u2) jessie; urgency=medium * Add 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch. diff -Nru libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch --- libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch 1970-01-01 01:00:00.0 +0100 +++ libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch 2017-12-01 20:40:51.0 +0100 @@ -0,0 +1,25 @@ +From: Steffen Ullrich +Date: Sun, 26 Oct 2014 18:23:15 +0100 +Subject: Propagate error if cert/key could not be used instead of continuing + with an invalid context which might cause a segmentation fault +Origin: https://github.com/noxxi/p5-io-socket-ssl/commit/a09f29f423859565bc0384dcfbbc75811d9e4e4a +Bug-Debian: https://bugs.debian.org/881711 + +--- + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 13c6680..2330b45 100644 +--- a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +@@ -489,7 +489,7 @@ sub configure_SSL { + + # create context + # this will fill in defaults in $arg_hash +-$ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash); ++$ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash) || return; + + ${*$self}{'_SSL_arguments'} = $arg_hash; + ${*$self}{'_SSL_ctx'} = $ctx; +-- +2.15.1 + diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series libio-socket-ssl-perl-2.002/debian/patches/series --- libio-socket-ssl-perl-2.002/debian/patches/series 2016-10-08 17:26:51.0 +0200 +++ libio-socket-ssl-perl-2.002/debian/patches/series 2017-12-01 20:40:51.0 +0100 @@ -1,3 +1,4 @@ 0001-use-only-ICANN-part-in-public-suffix-list.patch 0001-make-PublicSuffix-_default_data-thread-safe-by-stori.patch 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch +0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch