Bug#643667: Broken symlinks on upgrade due to plain c_rehash call
Package: ca-certificates
Version: 20110502+nmu1
Severity: serious
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu oneiric ubuntu-patch
Hi
See also:
https://bugs.launchpad.net/ubuntu/oneiric/+source/ca-certificates/+bug/854927
ca-certificates.postinst runs:
# Call c_rehash when upgrading from older versions to that we
# have both the old and new style of symlink
if [ ! -z "$2" ]; then
if dpkg --compare-versions "$2" le 20090814+nmu3; then
c_rehash
fi
fi
but a plain c_rehash call is wrong because at this point there might be
a /etc/ssl/certs/ca-certificates.crt file with all certificates that
c_rehash picks up and links to. Instead, this file should be removed,
then c_rehash should be called after clearing all other symlinks, then
ca-certificates.crt should be regenerated. update-ca-certificates
--fresh is meant to do that, but didn't move
/etc/ssl/certs/ca-certificates.crt away.
The attached patch moves /etc/ssl/certs/ca-certificates.crt away
(credit to Steve Langasek for fixing this), and removes the c_rehash
upgrade snippet in favor.
NB: The patch needs to be updated with this bug number and the uploaded
version (see XXXs in patch).
Cheers,
--
Loïc Minier
diff -Nru ca-certificates-20110502+nmu1/debian/changelog ca-certificates-20110502+nmu2/debian/changelog
--- ca-certificates-20110502+nmu1/debian/changelog 2011-08-31 04:02:49.000000000 +0200
+++ ca-certificates-20110502+nmu2/debian/changelog 2011-09-28 15:45:59.000000000 +0200
@@ -1,3 +1,18 @@
+ca-certificates (20110502+nmu2) UNRELEASED; urgency=low
+
+ [ Steve Langasek ]
+ * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
+ the way before calling c_rehash, so that symlinks don't accidentally get
+ pointed here, breaking openssl certificate verification. LP: #854927.
+
+ [ Loïc Minier ]
+ * Drop bogus c_rehash on upgrades, which caused issue when
+ ca-certificates.crt was still in place; instead, call
+ update-ca-certificates --fresh on upgrades to this version, and
+ the usual update-ca-certificates otherwise; closes: #XXX.
+
+ -- Loïc Minier <lool@debian.org> Wed, 28 Sep 2011 15:44:05 +0200
+
ca-certificates (20110502+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ca-certificates-20110502+nmu1/debian/postinst ca-certificates-20110502+nmu2/debian/postinst
--- ca-certificates-20110502+nmu1/debian/postinst 2011-04-21 19:37:20.000000000 +0200
+++ ca-certificates-20110502+nmu2/debian/postinst 2011-09-28 15:42:28.000000000 +0200
@@ -137,13 +137,12 @@
-e 's/^[[:space:]]*1[[:space:]]*/!/' \
>> /etc/ca-certificates.conf
fi
- update-ca-certificates
- # Call c_rehash when upgrading from older versions to that we
- # have both the old and new style of symlink
- if [ ! -z "$2" ]; then
- if dpkg --compare-versions "$2" le 20090814+nmu3; then
- c_rehash
- fi
+ # fix bogus symlink to ca-certificates.crt on upgrades; see
+ # Debian #XXX; drop after wheezy
+ if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+XXX; then
+ update-ca-certificates --fresh
+ else
+ update-ca-certificates
fi
;;
diff -Nru ca-certificates-20110502+nmu1/sbin/update-ca-certificates ca-certificates-20110502+nmu2/sbin/update-ca-certificates
--- ca-certificates-20110502+nmu1/sbin/update-ca-certificates 2009-07-08 23:23:12.000000000 +0200
+++ ca-certificates-20110502+nmu2/sbin/update-ca-certificates 2011-09-28 15:43:57.000000000 +0200
@@ -127,8 +127,7 @@
done
fi
-chmod 0644 "$TEMPBUNDLE"
-mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+rm -f "$CERTBUNDLE"
ADDED_CNT=$(wc -l < "$ADDED")
REMOVED_CNT=$(wc -l < "$REMOVED")
@@ -144,6 +143,9 @@
fi
fi
+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+
echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
HOOKSDIR=/etc/ca-certificates/update.d
Reply to: