Bug#818081: marked as done (opam: Please apply upstream patch: remove insecure / no-check-certificate flags)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 19 Mar 2016 09:57:45 +0000
with message-id <E1ahDdh-0002RD-95@franck.debian.org>
and subject line Bug#818081: fixed in opam 1.2.2-5
has caused the Debian Bug report #818081,
regarding opam: Please apply upstream patch: remove insecure / no-check-certificate flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
818081: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818081
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: opam: Please apply upstream patch: remove insecure / no-check-certificate flags
• From: Ximin Luo <infinity0@debian.org>
• Date: Fri, 11 Mar 2016 17:51:53 +0100
• Message-id: <[🔎] 145771511364.19577.6071133417501848925.reportbug@localhost.localdomain>

Package: opam
Version: 1.2.2-4.1
Severity: grave
Tags: patch security
Justification: user security hole

Dear Maintainer,

Currently opam forces curl/wget to not check the certificate, allowing a MITM
to inject arbitrary code to users using opam, which eventually will likely be
run by them. This has been fixed upstream:

https://github.com/ocaml/opam/commit/3d43295df3bb9e67e60801d319bf82c2c8a84d24

I have backported the patch to the current version of opam in Debian; see the
attached file. I've also built this myself:

https://people.debian.org/~infinity0/apt/pool/contrib/o/opam

and installed it, ran it, and checked that things still work.

X

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages opam depends on:
ii  build-essential  11.7
ii  curl             7.47.0-1
ii  libbz2-1.0       1.0.6-8
ii  libc6            2.21-9
ii  opam-docs        1.2.2-4.1
ii  tar              1.28-2.1
ii  unzip            6.0-20
ii  wget             1.17.1-1+b1
ii  zlib1g           1:1.2.8.dfsg-2+b1

Versions of packages opam recommends:
ii  aspcud     1:1.9.1-2
ii  darcs      2.10.2-1
ii  git        1:2.7.0-1
ii  mercurial  3.5.2-2
ii  ocaml      4.02.3-6
ii  rsync      3.1.1-3

opam suggests no packages.

-- no debconf information

Description: remove insecure / no-check-certificate flags (see mail on opam-devel, #55 #2006)
Author: Hannes Mehnert <hannes@mehnert.org>
Applied-Upstream: 3d43295df3bb9e67e60801d319bf82c2c8a84d24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/core/opamSystem.ml
+++ b/src/core/opamSystem.ml
@@ -694,7 +694,7 @@
   let retry = string_of_int OpamGlobals.download_retry in
   let wget ~compress:_ ?checksum:_ dir src =
     let wget_args = [
-      "--content-disposition"; "--no-check-certificate";
+      "--content-disposition";
       "-t"; retry;
       src
     ] in
@@ -704,7 +704,7 @@
   in
   let curl command ~compress ?checksum:_ dir src =
     let curl_args = [
-      "--write-out"; "%{http_code}\\n"; "--insecure";
+      "--write-out"; "%{http_code}\\n";
       "--retry"; retry; "--retry-delay"; "2";
     ] @ (if compress then ["--compressed"] else []) @ [
         "-OL"; src

--- End Message ---

--- Begin Message ---

• To: 818081-close@bugs.debian.org
• Subject: Bug#818081: fixed in opam 1.2.2-5
• From: Mehdi Dogguy <mehdi@debian.org>
• Date: Sat, 19 Mar 2016 09:57:45 +0000
• Message-id: <E1ahDdh-0002RD-95@franck.debian.org>

Source: opam
Source-Version: 1.2.2-5

We believe that the bug you reported is fixed in the latest version of
opam, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 818081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mehdi Dogguy <mehdi@debian.org> (supplier of updated opam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 19 Mar 2016 08:44:34 +0100
Source: opam
Binary: opam opam-docs
Architecture: source amd64 all
Version: 1.2.2-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Mehdi Dogguy <mehdi@debian.org>
Description:
 opam       - package manager for OCaml
 opam-docs  - package manager for OCaml (documentation)
Closes: 818081
Changes:
 opam (1.2.2-5) unstable; urgency=medium
 .
   * Stop using insecure and no-check-certificate flags (Closes: #818081).
     - add patch 0003-remove-insecure-no-check-certificate-flags.patch
     Thanks to Ximin Luo for submitting the bug and providing the patch.
Checksums-Sha1:
 347bae3fa0ace35212e0e811c55c769709f232d8 2343 opam_1.2.2-5.dsc
 5523b1517d38ec63684199f7af8c1ce624f2cf5d 7228 opam_1.2.2-5.debian.tar.xz
 7b338be9d41725ad7ce04230d10818c977b7af72 674920 opam-dbgsym_1.2.2-5_amd64.deb
 01c0d3fa1ace815eb09ab546c36b28d8d8a4c366 318958 opam-docs_1.2.2-5_all.deb
 726c4b409765deb496001428010178f592f5c988 1478684 opam_1.2.2-5_amd64.deb
Checksums-Sha256:
 3b7f91ad1922f51e57f8bc24fdbd7a8a6cabf4afe2f5cd6a00224470c798f83c 2343 opam_1.2.2-5.dsc
 d6baa6de9be1e9f3cd0fa666655378920ec6d7b7afa7c23e81805677fbc7b8d0 7228 opam_1.2.2-5.debian.tar.xz
 b46743be22d7d15f96aa0e7c94d29289305cf676261652905c1f9e584869b015 674920 opam-dbgsym_1.2.2-5_amd64.deb
 f55423c0c674b0cb4faad4b7486f1a06bce48e28c044f0b17fe0f263be03f0ef 318958 opam-docs_1.2.2-5_all.deb
 6d125f9f856e4c045fa36ed63a9007223c617fba66b9296f3a17fbf55f24b4a4 1478684 opam_1.2.2-5_amd64.deb
Files:
 1e50e454b4796cb5433ed8cc519fc77e 2343 ocaml optional opam_1.2.2-5.dsc
 0ca2b179f8ab93a74b23a7c60e3973eb 7228 ocaml optional opam_1.2.2-5.debian.tar.xz
 011e5b0de37fd5cdfbef322aed477859 674920 debug extra opam-dbgsym_1.2.2-5_amd64.deb
 a75cc0202af4383b16cd89ceb77fc5b4 318958 doc optional opam-docs_1.2.2-5_all.deb
 90da688c969b7b4381170518cd669f5a 1478684 ocaml optional opam_1.2.2-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW7QRfAAoJEDO+GgqMLtj/aioQAN8EUR+qpAvLsTPZixR0P94/
VZv3fOxol2m1WJh0Oic6wd7GyAqUKtWch3V93QVIQgLQHv6j3XXDmtVT7oJsOiSS
MDm8PxCjLzrdmyeeaqGO9HawHDmx7NSWjB0hFxCnqlq5n3JiQYjb6MpAhJ7o++0k
u4MWUzS2sVkJJXDoYU3dka43MAxFCD+KRe+664Oc8A9xZamkVGHcp0Wq0g2+1755
/pnb2bHBV8KZJu3G6H1ZkBvLHlM99arYgaxGejINZFAqevKam0Dner8aOE5h+eRM
oSHucMi9q8Ns9rVgHbpmPCBt6QOhs9s1w8A5n0WE8Yli2AMpMHNcYacAuQkgltn+
5KH5Z2GWg9iXKnMu1lMi+2eGtxk5xHPglZbmspF9OFflDGKJjdE2Tqpu/GKUr+t3
8U4abe99bTd/q1wRrcTN4LUaZvAyt5dTkaH998lR++Xd/pWPU8ojdOM4c6S3JDmz
Y3Hktpbcx3K3844VLwNoYmAhsYiOAg9Fh9YrvCPLHkXf/I8I0jPi8u5vnIUvJSSd
hkMIzkurKznQa4X8CfUnDnL8vyviu/ktI0brHVaoNzIf+qmwtdiGIsue3Sx+4agF
6kXWs6kNy2znMhI9aCio8qIeP+eqiZVX8I+v0ejcmMQsbIF9mIWNJ4vuDcoP/lmS
DR0Mq6IrPUqrlY0N9wf3
=kwvk
-----END PGP SIGNATURE-----

--- End Message ---