Bug#818081: opam: Please apply upstream patch: remove insecure / no-check-certificate flags
Package: opam
Version: 1.2.2-4.1
Severity: grave
Tags: patch security
Justification: user security hole
Dear Maintainer,
Currently opam forces curl/wget to not check the certificate, allowing a MITM
to inject arbitrary code to users using opam, which eventually will likely be
run by them. This has been fixed upstream:
https://github.com/ocaml/opam/commit/3d43295df3bb9e67e60801d319bf82c2c8a84d24
I have backported the patch to the current version of opam in Debian; see the
attached file. I've also built this myself:
https://people.debian.org/~infinity0/apt/pool/contrib/o/opam
and installed it, ran it, and checked that things still work.
X
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages opam depends on:
ii build-essential 11.7
ii curl 7.47.0-1
ii libbz2-1.0 1.0.6-8
ii libc6 2.21-9
ii opam-docs 1.2.2-4.1
ii tar 1.28-2.1
ii unzip 6.0-20
ii wget 1.17.1-1+b1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages opam recommends:
ii aspcud 1:1.9.1-2
ii darcs 2.10.2-1
ii git 1:2.7.0-1
ii mercurial 3.5.2-2
ii ocaml 4.02.3-6
ii rsync 3.1.1-3
opam suggests no packages.
-- no debconf information
Description: remove insecure / no-check-certificate flags (see mail on opam-devel, #55 #2006)
Author: Hannes Mehnert <hannes@mehnert.org>
Applied-Upstream: 3d43295df3bb9e67e60801d319bf82c2c8a84d24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/core/opamSystem.ml
+++ b/src/core/opamSystem.ml
@@ -694,7 +694,7 @@
let retry = string_of_int OpamGlobals.download_retry in
let wget ~compress:_ ?checksum:_ dir src =
let wget_args = [
- "--content-disposition"; "--no-check-certificate";
+ "--content-disposition";
"-t"; retry;
src
] in
@@ -704,7 +704,7 @@
in
let curl command ~compress ?checksum:_ dir src =
let curl_args = [
- "--write-out"; "%{http_code}\\n"; "--insecure";
+ "--write-out"; "%{http_code}\\n";
"--retry"; retry; "--retry-delay"; "2";
] @ (if compress then ["--compressed"] else []) @ [
"-OL"; src
Reply to: