Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Dear Release-Team
I have prepared an update for libio-socket-ssl-perl 1.76-1 which is
found in wheezy and unstable but not yet uploaded. 1.77 was released
upstream to fix[1].
[1]: https://rt.cpan.org/Public/Bug/Display.html?id=79916
Upstream RT#79916 is marked 'Serverity Critical'. As comment in SSL.pm
we can read, before the _update_peer subroutine:
# called if PeerAddr is not set in ${*$self}{'_SSL_arguments'}
# this can be the case if start_SSL is called with a normal IO::Socket::INET
# so that PeerAddr|PeerPort are not set from args
The following script demostrates the problem, but is not exactly what
the comment suggest. I was not able to reproduce a better example.
Daniel Kahn Gillmor gave me some quidance on #debian-perl.
----cut---------cut---------cut---------cut---------cut---------cut-----
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::SSL;
use IO::Socket::INET6;
my $sock = IO::Socket::INET6->new(
PeerAddr => '127.0.0.1',
PeerPort => "5556",
Type => SOCK_STREAM,
) or die "Cannot construct socket - $@";
use Data::Show;
show $sock;
my $upgraded_sock = IO::Socket::SSL->start_SSL($sock);
use Data::Show;
show $upgraded_sock;
----cut---------cut---------cut---------cut---------cut---------cut-----
With PeerAddr set to 127.0.0.1 you get for upgraded_sock:
----cut---------cut---------cut---------cut---------cut---------cut-----
======( $upgraded_sock )==================[ 'test.pl', line 19 ]======
do {
require Symbol;
my $a = bless(Symbol::gensym(), "IO::Socket::SSL");
*{$a} = {
_SSL_arguments => {
PeerAddr => "127.0.0.1",
PeerPort => 5556,
Proto => "tcp",
SSL_cert_file => "certs/client-cert.pem",
SSL_check_crl => 0,
SSL_honor_cipher_order => 0,
SSL_key_file => "certs/client-key.pem",
SSL_server => 0,
SSL_use_cert => 0,
SSL_verify_mode => 0,
SSL_version => "SSLv23:!SSLv2",
},
_SSL_ctx => bless({ context => 27267440 }, "IO::Socket::SSL::SSL_Context"),
_SSL_fileno => 3,
_SSL_ioclass_upgraded => "IO::Socket::INET6",
_SSL_object => 27913664,
_SSL_opened => 1,
io_socket_domain => 2,
io_socket_proto => 6,
io_socket_timeout => undef,
io_socket_type => 1,
};
$a;
}
----cut---------cut---------cut---------cut---------cut---------cut-----
but for '::1' you see that PeerAddr is missing from _SSL_arguments:
----cut---------cut---------cut---------cut---------cut---------cut-----
======( $upgraded_sock )==================[ 'test.pl', line 19 ]======
do {
require Symbol;
my $a = bless(Symbol::gensym(), "IO::Socket::SSL");
*{$a} = {
_SSL_arguments => {
Proto => "tcp",
SSL_cert_file => "certs/client-cert.pem",
SSL_check_crl => 0,
SSL_honor_cipher_order => 0,
SSL_key_file => "certs/client-key.pem",
SSL_server => 0,
SSL_use_cert => 0,
SSL_verify_mode => 0,
SSL_version => "SSLv23:!SSLv2",
},
_SSL_ctx => bless({ context => 14291248 }, "IO::Socket::SSL::SSL_Context"),
_SSL_fileno => 3,
_SSL_ioclass_upgraded => "IO::Socket::INET6",
_SSL_object => 14937456,
_SSL_opened => 1,
io_socket_domain => 10,
io_socket_proto => 6,
io_socket_timeout => undef,
io_socket_type => 1,
};
$a;
}
----cut---------cut---------cut---------cut---------cut---------cut-----
but with the patched IO::Socket::SSL:
----cut---------cut---------cut---------cut---------cut---------cut-----
======( $upgraded_sock )==================[ 'test.pl', line 19 ]======
do {
require Symbol;
my $a = bless(Symbol::gensym(), "IO::Socket::SSL");
*{$a} = {
_SSL_arguments => {
PeerAddr => "::1",
PeerPort => 5556,
Proto => "tcp",
SSL_cert_file => "certs/client-cert.pem",
SSL_check_crl => 0,
SSL_honor_cipher_order => 0,
SSL_key_file => "certs/client-key.pem",
SSL_server => 0,
SSL_use_cert => 0,
SSL_verify_mode => 0,
SSL_version => "SSLv23:!SSLv2",
},
_SSL_ctx => bless({ context => 25240480 }, "IO::Socket::SSL::SSL_Context"),
_SSL_fileno => 3,
_SSL_ioclass_upgraded => "IO::Socket::INET6",
_SSL_object => 25890704,
_SSL_opened => 1,
io_socket_domain => 10,
io_socket_proto => 6,
io_socket_timeout => undef,
io_socket_type => 1,
};
$a;
}
----cut---------cut---------cut---------cut---------cut---------cut-----
Note I have started a service listening on port 5556 with gnutls-serv.
Since I'm no IPv6 expert, I would like to ask on your opinion and if
it's okay to upload the package to unstable condidering the attached
debdiff.
As said as I first wanted to hear back from you, I have not uploaded
the package to unstable.
Regards,
Salvatore
diff -Nru libio-socket-ssl-perl-1.76/debian/changelog libio-socket-ssl-perl-1.76/debian/changelog
--- libio-socket-ssl-perl-1.76/debian/changelog 2012-06-22 15:40:40.000000000 +0200
+++ libio-socket-ssl-perl-1.76/debian/changelog 2012-10-05 17:42:33.000000000 +0200
@@ -1,3 +1,10 @@
+libio-socket-ssl-perl (1.76-2) unstable; urgency=low
+
+ * Add 0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch patch.
+ Fix update_peer subroutine to work with IPv6.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 05 Oct 2012 17:41:19 +0200
+
libio-socket-ssl-perl (1.76-1) unstable; urgency=low
* Imported Upstream version 1.75 and 1.76
diff -Nru libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch
--- libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch 1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch 2012-10-05 17:42:33.000000000 +0200
@@ -0,0 +1,48 @@
+Description: Fix update_peer subroutine to work with IPv6
+Origin: vendor
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=79916
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2012-10-05
+
+---
+ SSL.pm | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/SSL.pm
++++ b/SSL.pm
+@@ -69,11 +69,11 @@
+ my $ip6 = eval {
+ require Socket;
+ Socket->VERSION(1.95);
+- Socket->import( 'inet_pton' );
++ Socket->import( qw/inet_pton inet_ntop/ );
+ 1;
+ } || eval {
+ require Socket6;
+- Socket6->import( 'inet_pton' );
++ Socket6->import( qw/inet_pton inet_ntop/ );
+ 1;
+ };
+
+@@ -525,9 +525,17 @@
+ my $self = shift;
+ my $arg_hash = ${*$self}{'_SSL_arguments'};
+ eval {
+- my ($port,$addr) = sockaddr_in( getpeername( $self ));
+- $arg_hash->{PeerAddr} = inet_ntoa( $addr );
+- $arg_hash->{PeerPort} = $port;
++ my $sockaddr = getpeername( $self );
++ my $af = sockaddr_family($sockaddr);
++ if( $af == AF_INET6 ) {
++ my ($port, $addr, $scope, $flow ) = unpack_sockaddr_in6( $sockaddr );
++ $arg_hash->{PeerAddr} = inet_ntop( $af, $addr );
++ $arg_hash->{PeerPort} = $port;
++ } else {
++ my ($port,$addr) = sockaddr_in( $sockaddr);
++ $arg_hash->{PeerAddr} = inet_ntoa( $addr );
++ $arg_hash->{PeerPort} = $port;
++ }
+ }
+ }
+
diff -Nru libio-socket-ssl-perl-1.76/debian/patches/series libio-socket-ssl-perl-1.76/debian/patches/series
--- libio-socket-ssl-perl-1.76/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-1.76/debian/patches/series 2012-10-05 17:42:33.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch
Attachment:
signature.asc
Description: Digital signature