--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Broken symlinks on upgrade due to plain c_rehash call
- From: Loïc Minier <lool@dooz.org>
- Date: Wed, 28 Sep 2011 15:47:39 +0200
- Message-id: <20110928134739.GA8811@bee.dooz.org>
Package: ca-certificates
Version: 20110502+nmu1
Severity: serious
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu oneiric ubuntu-patch
Hi
See also:
https://bugs.launchpad.net/ubuntu/oneiric/+source/ca-certificates/+bug/854927
ca-certificates.postinst runs:
# Call c_rehash when upgrading from older versions to that we
# have both the old and new style of symlink
if [ ! -z "$2" ]; then
if dpkg --compare-versions "$2" le 20090814+nmu3; then
c_rehash
fi
fi
but a plain c_rehash call is wrong because at this point there might be
a /etc/ssl/certs/ca-certificates.crt file with all certificates that
c_rehash picks up and links to. Instead, this file should be removed,
then c_rehash should be called after clearing all other symlinks, then
ca-certificates.crt should be regenerated. update-ca-certificates
--fresh is meant to do that, but didn't move
/etc/ssl/certs/ca-certificates.crt away.
The attached patch moves /etc/ssl/certs/ca-certificates.crt away
(credit to Steve Langasek for fixing this), and removes the c_rehash
upgrade snippet in favor.
NB: The patch needs to be updated with this bug number and the uploaded
version (see XXXs in patch).
Cheers,
--
Loïc Minier
diff -Nru ca-certificates-20110502+nmu1/debian/changelog ca-certificates-20110502+nmu2/debian/changelog
--- ca-certificates-20110502+nmu1/debian/changelog 2011-08-31 04:02:49.000000000 +0200
+++ ca-certificates-20110502+nmu2/debian/changelog 2011-09-28 15:45:59.000000000 +0200
@@ -1,3 +1,18 @@
+ca-certificates (20110502+nmu2) UNRELEASED; urgency=low
+
+ [ Steve Langasek ]
+ * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
+ the way before calling c_rehash, so that symlinks don't accidentally get
+ pointed here, breaking openssl certificate verification. LP: #854927.
+
+ [ Loïc Minier ]
+ * Drop bogus c_rehash on upgrades, which caused issue when
+ ca-certificates.crt was still in place; instead, call
+ update-ca-certificates --fresh on upgrades to this version, and
+ the usual update-ca-certificates otherwise; closes: #XXX.
+
+ -- Loïc Minier <lool@debian.org> Wed, 28 Sep 2011 15:44:05 +0200
+
ca-certificates (20110502+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ca-certificates-20110502+nmu1/debian/postinst ca-certificates-20110502+nmu2/debian/postinst
--- ca-certificates-20110502+nmu1/debian/postinst 2011-04-21 19:37:20.000000000 +0200
+++ ca-certificates-20110502+nmu2/debian/postinst 2011-09-28 15:42:28.000000000 +0200
@@ -137,13 +137,12 @@
-e 's/^[[:space:]]*1[[:space:]]*/!/' \
>> /etc/ca-certificates.conf
fi
- update-ca-certificates
- # Call c_rehash when upgrading from older versions to that we
- # have both the old and new style of symlink
- if [ ! -z "$2" ]; then
- if dpkg --compare-versions "$2" le 20090814+nmu3; then
- c_rehash
- fi
+ # fix bogus symlink to ca-certificates.crt on upgrades; see
+ # Debian #XXX; drop after wheezy
+ if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+XXX; then
+ update-ca-certificates --fresh
+ else
+ update-ca-certificates
fi
;;
diff -Nru ca-certificates-20110502+nmu1/sbin/update-ca-certificates ca-certificates-20110502+nmu2/sbin/update-ca-certificates
--- ca-certificates-20110502+nmu1/sbin/update-ca-certificates 2009-07-08 23:23:12.000000000 +0200
+++ ca-certificates-20110502+nmu2/sbin/update-ca-certificates 2011-09-28 15:43:57.000000000 +0200
@@ -127,8 +127,7 @@
done
fi
-chmod 0644 "$TEMPBUNDLE"
-mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+rm -f "$CERTBUNDLE"
ADDED_CNT=$(wc -l < "$ADDED")
REMOVED_CNT=$(wc -l < "$REMOVED")
@@ -144,6 +143,9 @@
fi
fi
+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+
echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
HOOKSDIR=/etc/ca-certificates/update.d
--- End Message ---
--- Begin Message ---
Source: ca-certificates
Source-Version: 20111025
We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive:
ca-certificates_20111025.dsc
to main/c/ca-certificates/ca-certificates_20111025.dsc
ca-certificates_20111025.tar.gz
to main/c/ca-certificates/ca-certificates_20111025.tar.gz
ca-certificates_20111025_all.deb
to main/c/ca-certificates/ca-certificates_20111025_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 643667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 25 Oct 2011 09:12:10 -0500
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20111025
Distribution: unstable
Urgency: low
Maintainer: Michael Shuler <michael@pbandjelly.org>
Changed-By: Michael Shuler <michael@pbandjelly.org>
Description:
ca-certificates - Common CA certificates
Closes: 537382 588219 619587 630232 643667
Changes:
ca-certificates (20111025) unstable; urgency=low
.
[ Michael Shuler ]
* Add 3.0 (native) source format
* Add Vcs-Git/Browser fields
* Add myself as new Maintainer with Uploaders Closes: #588219
* Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
Certificates added (+) and removed (-):
+ "AffirmTrust Commercial"
+ "AffirmTrust Networking"
+ "AffirmTrust Premium"
+ "AffirmTrust Premium ECC"
+ "A-Trust-nQual-03"
+ "Bogus Global Trustee"
+ "Bogus GMail"
+ "Bogus Google"
+ "Bogus kuix.de"
+ "Bogus live.com"
+ "Bogus Mozilla Addons"
+ "Bogus Skype"
+ "Bogus Yahoo 1"
+ "Bogus Yahoo 2"
+ "Bogus Yahoo 3"
+ "Certinomis - Autorité Racine"
+ "Certum Trusted Network CA"
+ "Explicitly Distrust DigiNotar Cyber CA"
+ "Explicitly Distrust DigiNotar Cyber CA 2nd"
+ "Explicitly Distrust DigiNotar Root CA"
+ "Explicitly Distrust DigiNotar Services 1024 CA"
+ "Explicitly Distrusted DigiNotar PKIoverheid"
+ "Explicitly Distrusted DigiNotar PKIoverheid G2"
+ "Go Daddy Root Certificate Authority - G2"
+ "Root CA Generalitat Valenciana"
+ "Starfield Root Certificate Authority - G2"
+ "Starfield Services Root Certificate Authority - G2"
+ "TWCA Root Certification Authority"
- "AOL Time Warner Root Certification Authority 1"
- "AOL Time Warner Root Certification Authority 2"
- "DigiNotar Root CA"
- "Entrust.net Global Secure Personal CA"
- "Entrust.net Global Secure Server CA"
- "Entrust.net Secure Personal CA"
- "IPS Chained CAs root"
- "IPS CLASE1 root"
- "IPS CLASE3 root"
- "IPS CLASEA1 root"
- "IPS CLASEA3 root"
- "IPS Timestamping root"
- "Thawte Personal Freemail CA"
- "Thawte Time Stamping CA"
* "Bogus *" CAs above address Comodo MITM 03/11 Closes: #619587
* Update CAcert-Class 3-Subroot-certificate Closes: #630232
.
[ Steve Langasek ]
* sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
the way before calling c_rehash, so that symlinks don't accidentally get
pointed here, breaking openssl certificate verification LP: #854927
.
[ Loïc Minier ]
* Drop bogus c_rehash on upgrades, which caused issue when
ca-certificates.crt was still in place; instead, call
update-ca-certificates --fresh on upgrades to this version, and
the usual update-ca-certificates otherwise Closes: #643667, #537382
Checksums-Sha1:
fd73ea4f9e085106bdf7979a29121fbf72b47dea 1747 ca-certificates_20111025.dsc
3c9817265915a43e1a2cd8d88325df3904fbf5ee 298904 ca-certificates_20111025.tar.gz
949ca2535b927753aa9edeb7afbedac9b793f630 185800 ca-certificates_20111025_all.deb
Checksums-Sha256:
3322f8df3c8edfba2a11b03b995f52b953810ddede324433c0ba285b0e3a0c13 1747 ca-certificates_20111025.dsc
318bbf0f7c0a32adc10105f843148fd0e9e3b013de75645c02ea858652240924 298904 ca-certificates_20111025.tar.gz
7d743b307ab31138176d6da4fff1f4c7f6bd246b42698662894bfb1b74e55647 185800 ca-certificates_20111025_all.deb
Files:
0e3c65cb361b2710ce8626ec53cfeb1c 1747 misc optional ca-certificates_20111025.dsc
dfd593c9f89e64351aae78b9be588696 298904 misc optional ca-certificates_20111025.tar.gz
245d8b5bba947b8ae786e0f14459dd18 185800 misc optional ca-certificates_20111025_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBTqhQpocvcCxNbiWoAQKEhw//aOuTI95KwsJCv2eTmjMOalK16QgBYApZ
/5Evz0XGl9UD/Ec9H37AEBfwXRdOyOaAJIrV46xzk5J6R+nRWyCViL4czyabuSLh
llLJXAVOx4zyL3BdBN1eDqETrOVD+Y8j5odQfo9Cgmt9ucY4wWVLNNbYLqYlFwpd
rEPHxyYYXGC5riWwEK9+JNKkS4J+AAcy/5oCzqdQFBlyTsLM8cBfscDJQSEvg8Xm
vPm5k7tgzyYn6lUKOPwBg6+/LembJ5D32fRyTWzZk7kZNcs4I6ldwtQG43eUSEPe
E7Wapb+rZLK0IGzBGSCufCGmq7/w7V0URpC9h30m2OVYtijoJkJthE7mhQONjPU3
4K02L2FszF2QMSLU8AGYrLhWCeFfefGhKS0/dIWkDZRc4r2uqIegaBLkH6sUDv4X
2WlzyVN+e/LS7f3Cmx7EUbqol8jOyxF3l49DAaaWap1z25mZqxoi6MaqNDk46VOn
+9iHXxV1ZVSxKuDaOAYD5HCUA0gL4ggvZk5+ZsvJV2iwmmXJ24tFNa9+Lvz3ZyIX
CElWS1qxCCDTE0M9U93dnxbaC39yAO6dPyScsl8UOOfCOK90hEy+UooLUdD4YUpF
7RTizkIxBSwUXzxMtV7RuN4DIZSJzekQqpKOioPzglDn/xPMli+bsLnmGMhuDNAA
PIJAlpTV5OE=
=tF07
-----END PGP SIGNATURE-----
--- End Message ---