Bug#767726: unblock: libio-socket-ssl-perl/2.002-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#767726: unblock: libio-socket-ssl-perl/2.002-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 02 Nov 2014 07:56:25 +0100
Message-id: <[🔎] 20141102065625.714.27346.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 767726@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package libio-socket-ssl-perl. Stefano Rivera reported in
#767692[1], that libio-socket-ssl-perl incrrectly uses the Public Suffix
List to restrict wildcard certificates. The same conclusion was done by
upstream which fixed the problem with [2].

 [1] https://bugs.debian.org/767692
 [2] https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147

Attached is the debdiff used for 2.002-2 uploaded yesterday to unstable.
Could you please unblock libio-socket-ssl-perl?

unblock libio-socket-ssl-perl/2.002-2

Regards,
Salvatore

diff -Nru libio-socket-ssl-perl-2.002/debian/changelog libio-socket-ssl-perl-2.002/debian/changelog
--- libio-socket-ssl-perl-2.002/debian/changelog	2014-10-22 09:03:25.000000000 +0200
+++ libio-socket-ssl-perl-2.002/debian/changelog	2014-11-01 23:43:45.000000000 +0100
@@ -1,3 +1,11 @@
+libio-socket-ssl-perl (2.002-2) unstable; urgency=medium
+
+  * Add 0001-use-only-ICANN-part-in-public-suffix-list.patch.
+    Fixes "Don't use public suffix list to restrict wildcard certificates."
+    Thanks to Stefano Rivera (Closes: #767692)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 01 Nov 2014 23:39:14 +0100
+
 libio-socket-ssl-perl (2.002-1) unstable; urgency=low
 
   * Imported upstream version 2.002
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch
--- libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch	1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch	2014-11-01 23:43:45.000000000 +0100
@@ -0,0 +1,61 @@
+Description: use only ICANN part in public suffix list
+Origin: backport, https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147
+Bug-Debian: https://bugs.debian.org/767692
+Forwarded: not-needed
+Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-11-01
+
+---
+diff --git a/lib/IO/Socket/SSL/PublicSuffix.pm b/lib/IO/Socket/SSL/PublicSuffix.pm
+index 87c8b0b..a84aacd 100644
+--- a/lib/IO/Socket/SSL/PublicSuffix.pm
++++ b/lib/IO/Socket/SSL/PublicSuffix.pm
+@@ -293,10 +293,8 @@ sub public_suffix {
+     sub _default_data {
+ 	if ( ! defined $data ) {
+ 	    $data = do { local $/; <DATA> };
+-	    # known exceptions of behavior of SSL certificates from PSL
+-	    $data .= "!googleapis.com\n";
+-	    $data .= "!s3.amazonaws.com\n"; # RT#99702
+-
++	    $data =~s{^// ===END ICANN DOMAINS.*}{}ms
++		or die "cannot find END ICANN DOMAINS";
+ 	}
+ 	return $data;
+     }
+diff --git a/t/public_suffix_lib.pl b/t/public_suffix_lib.pl
+index 66bdfe4..a9dc4c8 100644
+--- a/t/public_suffix_lib.pl
++++ b/t/public_suffix_lib.pl
+@@ -30,7 +30,7 @@ sub run_with_lib {
+ 
+     require IO::Socket::SSL::PublicSuffix;
+ 
+-    plan tests => 83;
++    plan tests => 79;
+ 
+ 
+     # all one-level, but co.uk two-level
+@@ -117,10 +117,14 @@ sub run_with_lib {
+     is public_suffix('example.com'), 'com';
+     is public_suffix('b.example.com'), 'com';
+     is public_suffix('a.b.example.com'), 'com';
+-    is public_suffix('uk.com'), 'uk.com';
+-    is public_suffix('example.uk.com'), 'uk.com';
+-    is public_suffix('b.example.uk.com'), 'uk.com';
+-    is public_suffix('a.b.example.uk.com'), 'uk.com';
++
++    # uk.com is not in the ICANN part of the list
++    if(0) {
++	is public_suffix('uk.com'), 'uk.com';
++	is public_suffix('example.uk.com'), 'uk.com';
++	is public_suffix('b.example.uk.com'), 'uk.com';
++	is public_suffix('a.b.example.uk.com'), 'uk.com';
++    }
+     is public_suffix('test.ac'), 'ac';
+ 
+     # TLD with only one (wildcard) rule:
+-- 
+2.1.1
+
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series libio-socket-ssl-perl-2.002/debian/patches/series
--- libio-socket-ssl-perl-2.002/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-2.002/debian/patches/series	2014-11-01 23:43:45.000000000 +0100
@@ -0,0 +1 @@
+0001-use-only-ICANN-part-in-public-suffix-list.patch

Reply to:

Follow-Ups:
- Bug#767726: marked as done (unblock: libio-socket-ssl-perl/2.002-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#767723: unblock: addresses-for-gnustep/0.4.7-2
Next by Date: Bug#767724: unblock: viewpdf.app/1:0.2dfsg1-5
Previous by thread: Bug#767723: marked as done (unblock: addresses-for-gnustep/0.4.7-2)
Next by thread: Bug#767726: marked as done (unblock: libio-socket-ssl-perl/2.002-2)
Index(es):
- Date
- Thread