Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2024-45321] generate: hotpatch bin/cpanm to use HTTPS endpoints #167

Merged
merged 5 commits into from
Aug 30, 2024

Conversation

stigtsp
Copy link
Contributor

@stigtsp stigtsp commented Aug 19, 2024

This commit patches out insecure http endpoints from the fatpacked bin/cpanm executable

Tested with:

Cc: @zakame @dgl @garu

This commit patches out insecure http endpoints from the fatpacked
`bin/cpanm` executable
@zakame
Copy link
Member

zakame commented Aug 24, 2024

Hi @stigtsp, thanks for this PR!

Do you think its also worth expanding

run: |
dir='${{ matrix.directory }}'
img="perl:${dir//,/-}"
docker run "$img" perl -MHTTP::Tiny -E 'if (HTTP::Tiny->new->get("https://github.com")->{status} == 200) { exit 0 } exit 1'
- name: Run cpanm install test
run: |
dir='${{ matrix.directory }}'
img="perl:${dir//,/-}"
docker run "$img" cpanm -v Mojolicious
to include the cpanm module tests you mentioned? If so, I can follow that that up with a later PR - am planning to include this in the upcoming perldevel-5.41.3 update...

@stigtsp
Copy link
Contributor Author

stigtsp commented Aug 24, 2024

Do you think its also worth expanding [..]

Sounds reasonable, but I'm not familiar with the tests for the docker image :)

@stigtsp stigtsp changed the title generate: hotpatch bin/cpanm to use HTTPS endpoints [CVE-2024-45321] generate: hotpatch bin/cpanm to use HTTPS endpoints Aug 27, 2024
generate.pl Show resolved Hide resolved
@zakame
Copy link
Member

zakame commented Aug 30, 2024

@stigtsp added tests now, though had to forego on slim and choose other modules to avoid having to install additional dependencies on main. Thanks again!

@zakame zakame merged commit bd5201d into Perl:master Aug 30, 2024
34 checks passed
zakame added a commit to zakame/docker-library-official-images that referenced this pull request Aug 30, 2024
@zakame
Copy link
Member

zakame commented Aug 31, 2024

This is now applied in perl:5.41.3 and rebuilds of 5.40.0/5.38.2/5.36.3. Thanks again! 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants