Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Dear Release-Team I have prepared an update for libio-socket-ssl-perl 1.76-1 which is found in wheezy and unstable but not yet uploaded. 1.77 was released upstream to fix[1]. [1]: https://rt.cpan.org/Public/Bug/Display.html?id=79916 Upstream RT#79916 is marked 'Serverity Critical'. As comment in SSL.pm we can read, before the _update_peer subroutine: # called if PeerAddr is not set in ${*$self}{'_SSL_arguments'} # this can be the case if start_SSL is called with a normal IO::Socket::INET # so that PeerAddr|PeerPort are not set from args The following script demostrates the problem, but is not exactly what the comment suggest. I was not able to reproduce a better example. Daniel Kahn Gillmor gave me some quidance on #debian-perl. ----cut---------cut---------cut---------cut---------cut---------cut----- #!/usr/bin/perl use strict; use warnings; use IO::Socket::SSL; use IO::Socket::INET6; my $sock = IO::Socket::INET6->new( PeerAddr => '127.0.0.1', PeerPort => "5556", Type => SOCK_STREAM, ) or die "Cannot construct socket - $@"; use Data::Show; show $sock; my $upgraded_sock = IO::Socket::SSL->start_SSL($sock); use Data::Show; show $upgraded_sock; ----cut---------cut---------cut---------cut---------cut---------cut----- With PeerAddr set to 127.0.0.1 you get for upgraded_sock: ----cut---------cut---------cut---------cut---------cut---------cut----- ======( $upgraded_sock )==================[ 'test.pl', line 19 ]====== do { require Symbol; my $a = bless(Symbol::gensym(), "IO::Socket::SSL"); *{$a} = { _SSL_arguments => { PeerAddr => "127.0.0.1", PeerPort => 5556, Proto => "tcp", SSL_cert_file => "certs/client-cert.pem", SSL_check_crl => 0, SSL_honor_cipher_order => 0, SSL_key_file => "certs/client-key.pem", SSL_server => 0, SSL_use_cert => 0, SSL_verify_mode => 0, SSL_version => "SSLv23:!SSLv2", }, _SSL_ctx => bless({ context => 27267440 }, "IO::Socket::SSL::SSL_Context"), _SSL_fileno => 3, _SSL_ioclass_upgraded => "IO::Socket::INET6", _SSL_object => 27913664, _SSL_opened => 1, io_socket_domain => 2, io_socket_proto => 6, io_socket_timeout => undef, io_socket_type => 1, }; $a; } ----cut---------cut---------cut---------cut---------cut---------cut----- but for '::1' you see that PeerAddr is missing from _SSL_arguments: ----cut---------cut---------cut---------cut---------cut---------cut----- ======( $upgraded_sock )==================[ 'test.pl', line 19 ]====== do { require Symbol; my $a = bless(Symbol::gensym(), "IO::Socket::SSL"); *{$a} = { _SSL_arguments => { Proto => "tcp", SSL_cert_file => "certs/client-cert.pem", SSL_check_crl => 0, SSL_honor_cipher_order => 0, SSL_key_file => "certs/client-key.pem", SSL_server => 0, SSL_use_cert => 0, SSL_verify_mode => 0, SSL_version => "SSLv23:!SSLv2", }, _SSL_ctx => bless({ context => 14291248 }, "IO::Socket::SSL::SSL_Context"), _SSL_fileno => 3, _SSL_ioclass_upgraded => "IO::Socket::INET6", _SSL_object => 14937456, _SSL_opened => 1, io_socket_domain => 10, io_socket_proto => 6, io_socket_timeout => undef, io_socket_type => 1, }; $a; } ----cut---------cut---------cut---------cut---------cut---------cut----- but with the patched IO::Socket::SSL: ----cut---------cut---------cut---------cut---------cut---------cut----- ======( $upgraded_sock )==================[ 'test.pl', line 19 ]====== do { require Symbol; my $a = bless(Symbol::gensym(), "IO::Socket::SSL"); *{$a} = { _SSL_arguments => { PeerAddr => "::1", PeerPort => 5556, Proto => "tcp", SSL_cert_file => "certs/client-cert.pem", SSL_check_crl => 0, SSL_honor_cipher_order => 0, SSL_key_file => "certs/client-key.pem", SSL_server => 0, SSL_use_cert => 0, SSL_verify_mode => 0, SSL_version => "SSLv23:!SSLv2", }, _SSL_ctx => bless({ context => 25240480 }, "IO::Socket::SSL::SSL_Context"), _SSL_fileno => 3, _SSL_ioclass_upgraded => "IO::Socket::INET6", _SSL_object => 25890704, _SSL_opened => 1, io_socket_domain => 10, io_socket_proto => 6, io_socket_timeout => undef, io_socket_type => 1, }; $a; } ----cut---------cut---------cut---------cut---------cut---------cut----- Note I have started a service listening on port 5556 with gnutls-serv. Since I'm no IPv6 expert, I would like to ask on your opinion and if it's okay to upload the package to unstable condidering the attached debdiff. As said as I first wanted to hear back from you, I have not uploaded the package to unstable. Regards, Salvatore
diff -Nru libio-socket-ssl-perl-1.76/debian/changelog libio-socket-ssl-perl-1.76/debian/changelog --- libio-socket-ssl-perl-1.76/debian/changelog 2012-06-22 15:40:40.000000000 +0200 +++ libio-socket-ssl-perl-1.76/debian/changelog 2012-10-05 17:42:33.000000000 +0200 @@ -1,3 +1,10 @@ +libio-socket-ssl-perl (1.76-2) unstable; urgency=low + + * Add 0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch patch. + Fix update_peer subroutine to work with IPv6. + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 05 Oct 2012 17:41:19 +0200 + libio-socket-ssl-perl (1.76-1) unstable; urgency=low * Imported Upstream version 1.75 and 1.76 diff -Nru libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch --- libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch 1970-01-01 01:00:00.000000000 +0100 +++ libio-socket-ssl-perl-1.76/debian/patches/0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch 2012-10-05 17:42:33.000000000 +0200 @@ -0,0 +1,48 @@ +Description: Fix update_peer subroutine to work with IPv6 +Origin: vendor +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=79916 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2012-10-05 + +--- + SSL.pm | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/SSL.pm ++++ b/SSL.pm +@@ -69,11 +69,11 @@ + my $ip6 = eval { + require Socket; + Socket->VERSION(1.95); +- Socket->import( 'inet_pton' ); ++ Socket->import( qw/inet_pton inet_ntop/ ); + 1; + } || eval { + require Socket6; +- Socket6->import( 'inet_pton' ); ++ Socket6->import( qw/inet_pton inet_ntop/ ); + 1; + }; + +@@ -525,9 +525,17 @@ + my $self = shift; + my $arg_hash = ${*$self}{'_SSL_arguments'}; + eval { +- my ($port,$addr) = sockaddr_in( getpeername( $self )); +- $arg_hash->{PeerAddr} = inet_ntoa( $addr ); +- $arg_hash->{PeerPort} = $port; ++ my $sockaddr = getpeername( $self ); ++ my $af = sockaddr_family($sockaddr); ++ if( $af == AF_INET6 ) { ++ my ($port, $addr, $scope, $flow ) = unpack_sockaddr_in6( $sockaddr ); ++ $arg_hash->{PeerAddr} = inet_ntop( $af, $addr ); ++ $arg_hash->{PeerPort} = $port; ++ } else { ++ my ($port,$addr) = sockaddr_in( $sockaddr); ++ $arg_hash->{PeerAddr} = inet_ntoa( $addr ); ++ $arg_hash->{PeerPort} = $port; ++ } + } + } + diff -Nru libio-socket-ssl-perl-1.76/debian/patches/series libio-socket-ssl-perl-1.76/debian/patches/series --- libio-socket-ssl-perl-1.76/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libio-socket-ssl-perl-1.76/debian/patches/series 2012-10-05 17:42:33.000000000 +0200 @@ -0,0 +1 @@ +0001-Fix-update_peer-subroutine-to-work-with-IPv6.patch
signature.asc
Description: Digital signature
