Wed May 28 19:45:34 2014 UTC ()
Pullup ticket #4423 - requested by taca
www/p5-LWP-Protocol-https: security patch

Apply patch to fix CVE-2014-3230.


(tron)
diff -r1.11 -r1.11.6.1 pkgsrc/www/p5-LWP-Protocol-https/Makefile
diff -r1.3 -r1.3.6.1 pkgsrc/www/p5-LWP-Protocol-https/distinfo
diff -r0 -r1.1.2.2 pkgsrc/www/p5-LWP-Protocol-https/patches/patch-lib_LWP_Protocol_https.pm
cvs diff -r1.11 -r1.11.6.1 pkgsrc/www/p5-LWP-Protocol-https/Makefile (expand / switch to unified diff)

--- pkgsrc/www/p5-LWP-Protocol-https/Makefile 2013/07/10 02:51:56 1.11
+++ pkgsrc/www/p5-LWP-Protocol-https/Makefile 2014/05/28 19:45:34 1.11.6.1
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1# $NetBSD: Makefile,v 1.11 2013/07/10 02:51:56 schmonz Exp $ 1# $NetBSD: Makefile,v 1.11.6.1 2014/05/28 19:45:34 tron Exp $
2 2
3DISTNAME= LWP-Protocol-https-6.04 3DISTNAME= LWP-Protocol-https-6.04
4PKGNAME= p5-${DISTNAME} 4PKGNAME= p5-${DISTNAME}
 5PKGREVISION= 1
5CATEGORIES= www perl5 6CATEGORIES= www perl5
6MASTER_SITES= ${MASTER_SITE_PERL_CPAN:=LWP/} 7MASTER_SITES= ${MASTER_SITE_PERL_CPAN:=LWP/}
7 8
8MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= http://search.cpan.org/dist/LWP-Protocol-https/ 10HOMEPAGE= http://search.cpan.org/dist/LWP-Protocol-https/
10COMMENT= Provide https support for LWP::UserAgent 11COMMENT= Provide https support for LWP::UserAgent
11LICENSE= ${PERL5_LICENSE} 12LICENSE= ${PERL5_LICENSE}
12 13
13CONFLICTS+= p5-libwww<6.02 14CONFLICTS+= p5-libwww<6.02
14 15
15DEPENDS+= p5-IO-Socket-SSL>=1.38:../../security/p5-IO-Socket-SSL 16DEPENDS+= p5-IO-Socket-SSL>=1.38:../../security/p5-IO-Socket-SSL
16DEPENDS+= p5-Mozilla-CA>=20110101:../../security/p5-Mozilla-CA 17DEPENDS+= p5-Mozilla-CA>=20110101:../../security/p5-Mozilla-CA
17 18
cvs diff -r1.3 -r1.3.6.1 pkgsrc/www/p5-LWP-Protocol-https/distinfo (expand / switch to unified diff)

--- pkgsrc/www/p5-LWP-Protocol-https/distinfo 2013/07/10 02:51:56 1.3
+++ pkgsrc/www/p5-LWP-Protocol-https/distinfo 2014/05/28 19:45:34 1.3.6.1
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
1$NetBSD: distinfo,v 1.3 2013/07/10 02:51:56 schmonz Exp $ 1$NetBSD: distinfo,v 1.3.6.1 2014/05/28 19:45:34 tron Exp $
2 2
3SHA1 (LWP-Protocol-https-6.04.tar.gz) = 5a63cb409ff4ba34006d5a45120e7facc52dc837 3SHA1 (LWP-Protocol-https-6.04.tar.gz) = 5a63cb409ff4ba34006d5a45120e7facc52dc837
4RMD160 (LWP-Protocol-https-6.04.tar.gz) = cc430e930aa607c1436b2be94d171c1192f64f3f 4RMD160 (LWP-Protocol-https-6.04.tar.gz) = cc430e930aa607c1436b2be94d171c1192f64f3f
5Size (LWP-Protocol-https-6.04.tar.gz) = 4035 bytes 5Size (LWP-Protocol-https-6.04.tar.gz) = 4035 bytes
 6SHA1 (patch-lib_LWP_Protocol_https.pm) = 790507e4e14a1d8cf679f1089cea8fa457bb559d
File Added: pkgsrc/www/p5-LWP-Protocol-https/patches/patch-lib_LWP_Protocol_https.pm
$NetBSD: patch-lib_LWP_Protocol_https.pm,v 1.1.2.2 2014/05/28 19:45:34 tron Exp $

Fix for CVE-2014-3230 from
https://github.com/libwww-perl/lwp-protocol-https/pull/14

--- lib/LWP/Protocol/https.pm.orig	2013-04-29 21:16:18.000000000 +0000
+++ lib/LWP/Protocol/https.pm
@@ -20,7 +20,11 @@ sub _extra_sock_opts
 	$ssl_opts{SSL_verifycn_scheme} = 'www';
     }
     else {
-	$ssl_opts{SSL_verify_mode} = 0;
+	if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
+	    $ssl_opts{SSL_verifycn_scheme} = '';
+	} else {
+	    $ssl_opts{SSL_verifycn_scheme} = 'none';
+	}
     }
     if ($ssl_opts{SSL_verify_mode}) {
 	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {