Bug#1065376: bookworm-pu: package libxml-stream-perl/1.24-4+deb12u1

gregor herrmann gregoa at debian.org
Sun Mar 3 15:16:07 GMT 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libxml-stream-perl at packages.debian.org
Control: affects -1 + src:libxml-stream-perl
User: release.debian.org at packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libxml-stream-perl/1.24-4+deb12u1 to bookworm in order
to fix #1064058.

The upload contains the same patch which is in unstable (and testing)
since 2 weeks.

The patch adjusts the code to a change in IO-Socket-SSL 2.078
regarding hostname verificaton; without this change, SSL connections
with libxml-stream-perl are broken, which also breaks libnet-xmpp-perl
and all users of libnet-xmpp-perl like sendxmpp (cf. the merged
bugs).

Complete debdiff attached (please note that the only relevant part
are the 3 lines in lib/XML/Stream.pm, as the tests are not run during
package build in Debian)


Cheers,
gregor

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmXklDdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZxJBAAvYW8KRtJkFGjw9HegALvoKjjOKNTupQIXGXWkUESmXIb/fbWii0CE7k6
8rwMV6ujsnHIZyT51kua9JGGMy36MWi9+sRq2dOVeYamCwPjF/x/iZgOJT8W9n3A
M+bVNaYhtgW1YOrRVcfBRRopPhEqWlhk1K7zuzOr+N4j+5vK9RoJSQzpCuLtIiD7
Jhs9r0Bspox3Xl0MQNrvZKrlNjFgZseo8UyzgBhwh3O1+KdZr5HZZb/p1Br0GZ+P
Dfvr4ZWnm2KVd2c0GvirBDSv1KdetOnieqCUrqHRtfNn5AftUhIXEEUN1EGfrE1s
mv2MYq5t0ygFRf6EJyrQ3nEde/FwyjHmRmuoHRqiRA2DPrq1yNe4QFrUBV2ylJ1X
kCfipKKEeXSyqOmD6whqmTvPbXtMVjckVeQV/J/NlWqULQ24pIsLyfmKebFmQ8bW
3pPeeXlkCDVAcpYBWNtKFtybllyc0i7UKzEznugkSqZiPk3uCEASDovizmuw0SBq
T55M9PGILDyvhCTyrhaHMlt3xJ6pAT8o6EB5fKM9GI9lxoNMEJ+eHMRdbuA8B1s8
BtC+CrK5NuA7chTwBUBYU18BZLzTibC1VxhOafuSy2cbimKVf6x41wgLn6+xenta
JaJmQBPEUtdkwEnl5tyMjoxUqFhyyVTwqAlFcYzEdqMmilYXOU0=
=1lnC
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru libxml-stream-perl-1.24/debian/changelog libxml-stream-perl-1.24/debian/changelog
--- libxml-stream-perl-1.24/debian/changelog	2021-01-20 18:34:25.000000000 +0100
+++ libxml-stream-perl-1.24/debian/changelog	2024-03-03 16:02:42.000000000 +0100
@@ -1,3 +1,13 @@
+libxml-stream-perl (1.24-4+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
+    to adjust to IO::Socket::SSL >= 2.078.
+    Thanks to Manfred Stock for the bug report and the patch.
+    (Closes: #1064058)
+
+ -- gregor herrmann <gregoa at debian.org>  Sun, 03 Mar 2024 16:02:42 +0100
+
 libxml-stream-perl (1.24-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
--- libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch	2024-03-03 16:02:42.000000000 +0100
@@ -0,0 +1,85 @@
+From 7d3de1e8afe7eb46d7bda336fb1f54d3b75f4e6d Mon Sep 17 00:00:00 2001
+From: Manfred Stock <m-cpan at nfred.ch>
+Date: Fri, 16 Feb 2024 10:45:43 +0100
+Subject: [PATCH] Set SSL_verifycn_name parameter to fix hostname verification
+
+IO-Socket-SSL 2.078 reverted a "decision from 2014 to not verify
+hostname by default if hostname is IP address but no explicit
+verification scheme given" [1]. Since start_SSL uses SSL_verifycn_name
+or SSL_hostname when verifying the hostname and falls back to the IP
+address of the peer if neither of them are set, the hostname
+verification failed with newer versions of IO-Socket-SSL even if the
+certificate presented by the peer was valid.
+
+Passing SSL_verifycn_name to start_SSL fixes this issue. The logic to
+determine the parameter value is based on my current understanding of
+[2] and thus uses the same logic that is also used in OpenStream to
+determine the 'to' address in the initial stream header.
+
+[1]: https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
+[2]: https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1
+
+
+Bug: https://github.com/dap/XML-Stream/pull/28
+Bug-Debian: https://bugs.debian.org/1064058
+
+---
+ lib/XML/Stream.pm |  3 +++
+ t/tcpip2ssl.t     | 21 +++++++++++++++++----
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/lib/XML/Stream.pm
++++ b/lib/XML/Stream.pm
+@@ -632,6 +632,9 @@
+     {
+         my %ssl_params = (
+             SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},
++            SSL_verifycn_name => $self->{SIDS}->{newconnection}->{to}
++                ? $self->{SIDS}->{newconnection}->{to}
++                : $self->{SIDS}->{newconnection}->{hostname},
+         );
+ 
+         if ( 0x00 != $self->{SIDS}->{newconnection}->{ssl_verify} )
+--- a/t/tcpip2ssl.t
++++ b/t/tcpip2ssl.t
+@@ -1,13 +1,13 @@
+ use strict;
+ use warnings;
+ 
+-use Test::More tests=>3;
++use Test::More tests=>5;
+ 
+ SKIP:
+ {
+     eval("use IO::Socket::SSL 0.81;");
+-    skip "IO::Socket::SSL not installed", 2 if $@;
+-    skip "No network communication allowed", 2 if ($ENV{NO_NETWORK});
++    skip "IO::Socket::SSL not installed", 4 if $@;
++    skip "No network communication allowed", 4 if ($ENV{NO_NETWORK});
+ 
+     BEGIN{ use_ok( "XML::Stream","Tree", "Node" ); }
+ 
+@@ -28,9 +28,22 @@
+                                       ssl=>1,
+                                       ssl_verify=>0x00,
+                                       timeout=>10);
++        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
++            'jabber.org', 'SSL_verifycn_name set' );
+ 
+-        skip "Cannot create initial socket", 1 unless $stream;
++        skip "Cannot create initial socket", 2 unless $stream;
+         
+         ok( $stream, "converted" );
++
++        $stream->Connect(hostname=>"jabber.org",
++                         to=>'example.com',
++                         port=>5223,
++                         namespace=>"jabber:client",
++                         connectiontype=>"tcpip",
++                         ssl=>1,
++                         ssl_verify=>0x00,
++                         timeout=>10);
++        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
++            'example.com', 'SSL_verifycn_name set to "to" value' );
+     }
+ }
diff -Nru libxml-stream-perl-1.24/debian/patches/series libxml-stream-perl-1.24/debian/patches/series
--- libxml-stream-perl-1.24/debian/patches/series	2021-01-20 18:34:25.000000000 +0100
+++ libxml-stream-perl-1.24/debian/patches/series	2024-03-03 16:02:42.000000000 +0100
@@ -1,3 +1,4 @@
 t_upstream_uninitialized_value.diff
 default-ca-path.patch
 0001-Do-not-die-when-hostname-cannot-be-resolved.patch
+Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch

More information about the pkg-perl-maintainers mailing list