--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: opam: Please apply upstream patch: remove insecure / no-check-certificate flags
- From: Ximin Luo <infinity0@debian.org>
- Date: Fri, 11 Mar 2016 17:51:53 +0100
- Message-id: <145771511364.19577.6071133417501848925.reportbug@localhost.localdomain>
Package: opam
Version: 1.2.2-4.1
Severity: grave
Tags: patch security
Justification: user security hole
Dear Maintainer,
Currently opam forces curl/wget to not check the certificate, allowing a MITM
to inject arbitrary code to users using opam, which eventually will likely be
run by them. This has been fixed upstream:
https://github.com/ocaml/opam/commit/3d43295df3bb9e67e60801d319bf82c2c8a84d24
I have backported the patch to the current version of opam in Debian; see the
attached file. I've also built this myself:
https://people.debian.org/~infinity0/apt/pool/contrib/o/opam
and installed it, ran it, and checked that things still work.
X
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages opam depends on:
ii build-essential 11.7
ii curl 7.47.0-1
ii libbz2-1.0 1.0.6-8
ii libc6 2.21-9
ii opam-docs 1.2.2-4.1
ii tar 1.28-2.1
ii unzip 6.0-20
ii wget 1.17.1-1+b1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages opam recommends:
ii aspcud 1:1.9.1-2
ii darcs 2.10.2-1
ii git 1:2.7.0-1
ii mercurial 3.5.2-2
ii ocaml 4.02.3-6
ii rsync 3.1.1-3
opam suggests no packages.
-- no debconf information
Description: remove insecure / no-check-certificate flags (see mail on opam-devel, #55 #2006)
Author: Hannes Mehnert <hannes@mehnert.org>
Applied-Upstream: 3d43295df3bb9e67e60801d319bf82c2c8a84d24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/core/opamSystem.ml
+++ b/src/core/opamSystem.ml
@@ -694,7 +694,7 @@
let retry = string_of_int OpamGlobals.download_retry in
let wget ~compress:_ ?checksum:_ dir src =
let wget_args = [
- "--content-disposition"; "--no-check-certificate";
+ "--content-disposition";
"-t"; retry;
src
] in
@@ -704,7 +704,7 @@
in
let curl command ~compress ?checksum:_ dir src =
let curl_args = [
- "--write-out"; "%{http_code}\\n"; "--insecure";
+ "--write-out"; "%{http_code}\\n";
"--retry"; retry; "--retry-delay"; "2";
] @ (if compress then ["--compressed"] else []) @ [
"-OL"; src
--- End Message ---
--- Begin Message ---
Source: opam
Source-Version: 1.2.0-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
opam, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 818081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mehdi Dogguy <mehdi@debian.org> (supplier of updated opam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Apr 2016 12:27:13 +0200
Source: opam
Binary: opam opam-docs
Architecture: source amd64 all
Version: 1.2.0-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Mehdi Dogguy <mehdi@debian.org>
Description:
opam - package manager for OCaml
opam-docs - package manager for OCaml (documentation)
Closes: 818081
Changes:
opam (1.2.0-1+deb8u1) jessie; urgency=medium
.
* Stop using insecure and no-check-certificate flags when fetching
files using wget and curl (Closes: #818081).
Checksums-Sha1:
712d1b348d2f1925295f2f447609ad8c2f3ca619 2324 opam_1.2.0-1+deb8u1.dsc
f88858f27295000be88ea1ceca9bb66fd14c3b6c 29208 opam_1.2.0-1+deb8u1.debian.tar.xz
9ba612c3f5125935688b54294f9ecffff28c046f 1440668 opam_1.2.0-1+deb8u1_amd64.deb
6319983891e3828865ef7383e4b1518be9098adf 296924 opam-docs_1.2.0-1+deb8u1_all.deb
Checksums-Sha256:
bc791c7126c78043620e6538e70a5bc17cbbd7e77125b5afef2c525c0be32c30 2324 opam_1.2.0-1+deb8u1.dsc
7472d2f825b5113c7c16b5b8188f68dee3c370ec3ea946994e9daf782b632c4c 29208 opam_1.2.0-1+deb8u1.debian.tar.xz
aa0787e6e79f598620a4ce0bb3c17d2f45b7d0cb5819547afcf385217f8d87d6 1440668 opam_1.2.0-1+deb8u1_amd64.deb
27bfda7a8dda55a6aca4f00fcf6ee1ba7d3ff1828453c2aa9458a1e6555cb146 296924 opam-docs_1.2.0-1+deb8u1_all.deb
Files:
0296be837f27bebc827ad156fad69de3 2324 ocaml optional opam_1.2.0-1+deb8u1.dsc
1c018fb797a4e3e713c5325d0ae18cda 29208 ocaml optional opam_1.2.0-1+deb8u1.debian.tar.xz
3323c56a106c9cd0af3da78a2fd984e7 1440668 ocaml optional opam_1.2.0-1+deb8u1_amd64.deb
4592cfdbd4bc7b089d544be85a39a7b7 296924 doc optional opam-docs_1.2.0-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXG5rYAAoJEDO+GgqMLtj/Jy0QALCay0G73uYd5IIKj23OCjDZ
JfPGEp4nXdL6vj42tBtEZKJHeBfr78WWGQY8+deWL267+UGtaRxgrXrxCtlnIV9E
kK+YqOKDL/B91YqSkv9U121V3LS4L5KXieg1Yf5gIseNf+zHYLxShw51Yh3b/PNF
NpW9KmXX8TN8IiGMJnA/bE5z4UJtMnWZVvnujlZRO5E6Han8K0p32/3+EWAHZxlZ
zh19C+AYy9z/fIrhliP8FeUX/VoNkKn9+FGn/jikONgjPyNGEsbj80Vm/akCs1is
YvyC6TVLHZWALV1y24FnhPoi9bNr4rIQz0qA0nayVKwAJVf2nbvO5oA0cvcsyl7m
lhSCiX0UJ59Lp3sQAq4slNteRNNdW68xexEwgsK6+06TShogKOnPe8BM0z3HxdPZ
KR5SDjqeIM8k76W85WNZQIQ48JLSSvvYyFuXdoHRxXQvM0te7VZ1p/Ih05zsn8L3
ENa7iScuEnZKc8te/NEkGMYwpc5GKHCobbWYC1Y4goXQZ0HSIDT//V0IYSHmQjfU
iScOlR6MejXWVyIM3ZBS1STgmkJwaITuRYt/4UTrQU02chniU0Wvkr+/suN19nM2
JtH29ORvN09RRaAk/EvBhaDAfUH+oMAHwzM1OYOoV8lFtc7Tb0kkG7qYCejUB9nv
ynj7J4/TiVDfTlxBK8mE
=deFW
-----END PGP SIGNATURE-----
--- End Message ---