Bug#818081: opam: Please apply upstream patch: remove insecure / no-check-certificate flags

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#818081: opam: Please apply upstream patch: remove insecure / no-check-certificate flags
From: Ximin Luo <infinity0@debian.org>
Date: Fri, 11 Mar 2016 17:51:53 +0100
Message-id: <[🔎] 145771511364.19577.6071133417501848925.reportbug@localhost.localdomain>
Reply-to: Ximin Luo <infinity0@debian.org>, 818081@bugs.debian.org

Package: opam
Version: 1.2.2-4.1
Severity: grave
Tags: patch security
Justification: user security hole

Dear Maintainer,

Currently opam forces curl/wget to not check the certificate, allowing a MITM
to inject arbitrary code to users using opam, which eventually will likely be
run by them. This has been fixed upstream:

https://github.com/ocaml/opam/commit/3d43295df3bb9e67e60801d319bf82c2c8a84d24

I have backported the patch to the current version of opam in Debian; see the
attached file. I've also built this myself:

https://people.debian.org/~infinity0/apt/pool/contrib/o/opam

and installed it, ran it, and checked that things still work.

X

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages opam depends on:
ii  build-essential  11.7
ii  curl             7.47.0-1
ii  libbz2-1.0       1.0.6-8
ii  libc6            2.21-9
ii  opam-docs        1.2.2-4.1
ii  tar              1.28-2.1
ii  unzip            6.0-20
ii  wget             1.17.1-1+b1
ii  zlib1g           1:1.2.8.dfsg-2+b1

Versions of packages opam recommends:
ii  aspcud     1:1.9.1-2
ii  darcs      2.10.2-1
ii  git        1:2.7.0-1
ii  mercurial  3.5.2-2
ii  ocaml      4.02.3-6
ii  rsync      3.1.1-3

opam suggests no packages.

-- no debconf information

Description: remove insecure / no-check-certificate flags (see mail on opam-devel, #55 #2006)
Author: Hannes Mehnert <hannes@mehnert.org>
Applied-Upstream: 3d43295df3bb9e67e60801d319bf82c2c8a84d24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/core/opamSystem.ml
+++ b/src/core/opamSystem.ml
@@ -694,7 +694,7 @@
   let retry = string_of_int OpamGlobals.download_retry in
   let wget ~compress:_ ?checksum:_ dir src =
     let wget_args = [
-      "--content-disposition"; "--no-check-certificate";
+      "--content-disposition";
       "-t"; retry;
       src
     ] in
@@ -704,7 +704,7 @@
   in
   let curl command ~compress ?checksum:_ dir src =
     let curl_args = [
-      "--write-out"; "%{http_code}\\n"; "--insecure";
+      "--write-out"; "%{http_code}\\n";
       "--retry"; retry; "--retry-delay"; "2";
     ] @ (if compress then ["--compressed"] else []) @ [
         "-OL"; src

Reply to:

Follow-Ups:
- Bug#818081: marked as done (opam: Please apply upstream patch: remove insecure / no-check-certificate flags)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: They kill with wars, alcohol and abortions. Save us!!!
Next by Date: Processing of dose3_4.2-1_amd64.changes
Previous by thread: They kill with wars, alcohol and abortions. Save us!!!
Next by thread: Bug#818081: marked as done (opam: Please apply upstream patch: remove insecure / no-check-certificate flags)
Index(es):
- Date
- Thread