Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2024-45321] generate: hotpatch bin/cpanm to use HTTPS endpoints #167

Merged
merged 5 commits into from
Aug 30, 2024
Merged

[CVE-2024-45321] generate: hotpatch bin/cpanm to use HTTPS endpoints #167

merged 5 commits into from
Aug 30, 2024

Conversation

stigtsp
Copy link
Contributor

@stigtsp stigtsp commented Aug 19, 2024

This commit patches out insecure http endpoints from the fatpacked bin/cpanm executable

Tested with:

Cc: @zakame @dgl @garu

@stigtsp
generate: hotpatch bin/cpanm to use HTTPS endpoints
94ff9cc 
This commit patches out insecure http endpoints from the fatpacked
`bin/cpanm` executable
@stigtsp
Copy link
Contributor Author

stigtsp commented Aug 19, 2024

Refs:

@zakame
Copy link
Member

zakame commented Aug 24, 2024

Hi @stigtsp, thanks for this PR!

Do you think its also worth expanding

docker-perl/.github/workflows/build-image.yml

Lines 57 to 65 in 09d0e7d

run: |
dir='${{ matrix.directory }}'
img="perl:${dir//,/-}"
docker run "$img" perl -MHTTP::Tiny -E 'if (HTTP::Tiny->new->get("https://github.com")->{status} == 200) { exit 0 } exit 1'
- name: Run cpanm install test
run: |
dir='${{ matrix.directory }}'
img="perl:${dir//,/-}"
docker run "$img" cpanm -v Mojolicious
to include the cpanm module tests you mentioned? If so, I can follow that that up with a later PR - am planning to include this in the upcoming perldevel-5.41.3 update...

@stigtsp
Copy link
Contributor Author

stigtsp commented Aug 24, 2024

Do you think its also worth expanding [..]

Sounds reasonable, but I'm not familiar with the tests for the docker image :)

@stigtsp stigtsp mentioned this pull request Aug 24, 2024
Merged
13 tasks
@stigtsp stigtsp changed the title generate: hotpatch bin/cpanm to use HTTPS endpoints [CVE-2024-45321] generate: hotpatch bin/cpanm to use HTTPS endpoints Aug 27, 2024
perlpunk
perlpunk reviewed Aug 27, 2024
View reviewed changes
generate.pl Show resolved Hide resolved
@zakame
Copy link
Member

zakame commented Aug 30, 2024

@stigtsp added tests now, though had to forego on slim and choose other modules to avoid having to install additional dependencies on main. Thanks again!

@zakame zakame merged commit bd5201d into Perl:master Aug 30, 2024
34 checks passed
zakame added a commit to zakame/docker-library-official-images that referenced this pull request Aug 30, 2024
@zakame
library/perl: 5.41.2 -> 5.41.3
197b676 
- https://nntp.perl.org/group/perl.perl5.porters/268756
- Fixes cpanm CVE Perl/docker-perl#167
@zakame zakame mentioned this pull request Aug 30, 2024
Merged
@zakame
Copy link
Member

zakame commented Aug 31, 2024

This is now applied in perl:5.41.3 and rebuilds of 5.40.0/5.38.2/5.36.3. Thanks again! 🙇

@dboehmer dboehmer mentioned this pull request Sep 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perlpunk perlpunk perlpunk left review comments

@zakame zakame zakame approved these changes

@dgl dgl dgl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stigtsp @zakame @dgl @perlpunk