Bug#643667: Broken symlinks on upgrade due to plain c_rehash call
Package: ca-certificates Version: 20110502+nmu1 Severity: serious Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu oneiric ubuntu-patch Hi See also: https://bugs.launchpad.net/ubuntu/oneiric/+source/ca-certificates/+bug/854927 ca-certificates.postinst runs: # Call c_rehash when upgrading from older versions to that we # have both the old and new style of symlink if [ ! -z "$2" ]; then if dpkg --compare-versions "$2" le 20090814+nmu3; then c_rehash fi fi but a plain c_rehash call is wrong because at this point there might be a /etc/ssl/certs/ca-certificates.crt file with all certificates that c_rehash picks up and links to. Instead, this file should be removed, then c_rehash should be called after clearing all other symlinks, then ca-certificates.crt should be regenerated. update-ca-certificates --fresh is meant to do that, but didn't move /etc/ssl/certs/ca-certificates.crt away. The attached patch moves /etc/ssl/certs/ca-certificates.crt away (credit to Steve Langasek for fixing this), and removes the c_rehash upgrade snippet in favor. NB: The patch needs to be updated with this bug number and the uploaded version (see XXXs in patch). Cheers, -- Loïc Minier diff -Nru ca-certificates-20110502+nmu1/debian/changelog ca-certificates-20110502+nmu2/debian/changelog --- ca-certificates-20110502+nmu1/debian/changelog 2011-08-31 04:02:49.0 +0200 +++ ca-certificates-20110502+nmu2/debian/changelog 2011-09-28 15:45:59.0 +0200 @@ -1,3 +1,18 @@ +ca-certificates (20110502+nmu2) UNRELEASED; urgency=low + + [ Steve Langasek ] + * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of +the way before calling c_rehash, so that symlinks don't accidentally get +pointed here, breaking openssl certificate verification. LP: #854927. + + [ Loïc Minier ] + * Drop bogus c_rehash on upgrades, which caused issue when +ca-certificates.crt was still in place; instead, call +update-ca-certificates --fresh on upgrades to this version, and +the usual update-ca-certificates otherwise; closes: #XXX. + + -- Loïc Minier Wed, 28 Sep 2011 15:44:05 +0200 + ca-certificates (20110502+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ca-certificates-20110502+nmu1/debian/postinst ca-certificates-20110502+nmu2/debian/postinst --- ca-certificates-20110502+nmu1/debian/postinst 2011-04-21 19:37:20.0 +0200 +++ ca-certificates-20110502+nmu2/debian/postinst 2011-09-28 15:42:28.0 +0200 @@ -137,13 +137,12 @@ -e 's/^[[:space:]]*1[[:space:]]*/!/' \ >> /etc/ca-certificates.conf fi - update-ca-certificates - # Call c_rehash when upgrading from older versions to that we - # have both the old and new style of symlink - if [ ! -z "$2" ]; then - if dpkg --compare-versions "$2" le 20090814+nmu3; then - c_rehash - fi + # fix bogus symlink to ca-certificates.crt on upgrades; see + # Debian #XXX; drop after wheezy + if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+XXX; then + update-ca-certificates --fresh + else + update-ca-certificates fi ;; diff -Nru ca-certificates-20110502+nmu1/sbin/update-ca-certificates ca-certificates-20110502+nmu2/sbin/update-ca-certificates --- ca-certificates-20110502+nmu1/sbin/update-ca-certificates 2009-07-08 23:23:12.0 +0200 +++ ca-certificates-20110502+nmu2/sbin/update-ca-certificates 2011-09-28 15:43:57.0 +0200 @@ -127,8 +127,7 @@ done fi -chmod 0644 "$TEMPBUNDLE" -mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +rm -f "$CERTBUNDLE" ADDED_CNT=$(wc -l < "$ADDED") REMOVED_CNT=$(wc -l < "$REMOVED") @@ -144,6 +143,9 @@ fi fi +chmod 0644 "$TEMPBUNDLE" +mv -f "$TEMPBUNDLE" "$CERTBUNDLE" + echo "$ADDED_CNT added, $REMOVED_CNT removed; done." HOOKSDIR=/etc/ca-certificates/update.d
Processed: forcibly merging 407550 600493
Processing commands for cont...@bugs.debian.org: > forcemerge 407550 600493 Bug#407550: ca-certificates: c_rehash should be made compatible with gnutls-bin Bug#600493: ca-certificates depends on openssl, but it's not a necessity Forcibly Merged 407550 600493. > thanks Stopping processing here. Please contact me if you need assistance. -- 600493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600493 407550: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407550 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.131721682121927.transcr...@bugs.debian.org
Bug#407550: Bug#600493: ca-certificates depends on openssl, but it's not a necessity
On Sun, Oct 17, 2010, Michael Orlov wrote: > So, the usecase is instead: not having libssl/openssl installed at all, > but still having the individual certificates in various directories > (most bundled with the ca-certificates package), and having the ability > to combine the trusted ones into ca-certificates.crt, using > update-ca-certificates, for use by gnutls (or nss). > > c_rehash is not needed for that. I suggest removing the openssl > dependency, and putting a check for c_rehash existence into > update-ca-certificates. It's a fair request to avoid the openssl dependency. I am an user of the hashed certificates feature, and there is an important performance gain for processes not to have to read and parse the whole pile of certs in /etc/ssl/certs/ca-certificates.crt but instead just load the right one by fingerprint from /etc/ssl/certs/ symlinks. This is what Postfix does with its smtp_tls_CApath and smtpd_tls_CApath options, and the Postfix TLS README explains that this is faster than using a single CAfile. (See openssl s_client -CAfile/-CApath flags for implementations.) In the case of Postfix, it's important because the processes are short-lived, I expect Apache to be in a similar situation. Now, in terms of implementation, update-ca-certificates supports hooks; I think hooks should be used to generate these symlinks, and that a new openssl hook should test whether c_rehash is present before calling it. There's a catch that ca-certificates.crt is in the same directory as the other certificates, and should be moved away before calling c_rehash. -- Loïc Minier -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110928133419.ga8...@bee.dooz.org
Processing of contacts_0.9-1.2_amd64.changes
contacts_0.9-1.2_amd64.changes uploaded successfully to localhost along with the files: contacts_0.9-1.2.dsc contacts_0.9-1.2.diff.gz contacts_0.9-1.2_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1r8yml-0007gv...@franck.debian.org
contacts_0.9-1.2_amd64.changes ACCEPTED into unstable
Accepted: contacts_0.9-1.2.diff.gz to main/c/contacts/contacts_0.9-1.2.diff.gz contacts_0.9-1.2.dsc to main/c/contacts/contacts_0.9-1.2.dsc contacts_0.9-1.2_amd64.deb to main/c/contacts/contacts_0.9-1.2_amd64.deb Override entries for your package: contacts_0.9-1.2.dsc - source gnome contacts_0.9-1.2_amd64.deb - optional gnome Announcing to debian-devel-chan...@lists.debian.org Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1r8yvr-fr...@franck.debian.org
Processing of dates_0.4.8-1.2_amd64.changes
dates_0.4.8-1.2_amd64.changes uploaded successfully to localhost along with the files: dates_0.4.8-1.2.dsc dates_0.4.8-1.2.diff.gz dates_0.4.8-1.2_amd64.deb dates-hildon_0.4.8-1.2_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1r8ywx-ir...@franck.debian.org
dates_0.4.8-1.2_amd64.changes ACCEPTED into unstable
Accepted: dates-hildon_0.4.8-1.2_amd64.deb to main/d/dates/dates-hildon_0.4.8-1.2_amd64.deb dates_0.4.8-1.2.diff.gz to main/d/dates/dates_0.4.8-1.2.diff.gz dates_0.4.8-1.2.dsc to main/d/dates/dates_0.4.8-1.2.dsc dates_0.4.8-1.2_amd64.deb to main/d/dates/dates_0.4.8-1.2_amd64.deb Override entries for your package: dates-hildon_0.4.8-1.2_amd64.deb - optional gnome dates_0.4.8-1.2.dsc - source gnome dates_0.4.8-1.2_amd64.deb - optional gnome Announcing to debian-devel-chan...@lists.debian.org Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1r8zau-0002dj...@franck.debian.org
Processing of gtkam_0.1.18-1_amd64.changes
gtkam_0.1.18-1_amd64.changes uploaded successfully to localhost along with the files: gtkam_0.1.18-1.dsc gtkam_0.1.18.orig.tar.gz gtkam_0.1.18-1.diff.gz gtkam_0.1.18-1_amd64.deb gtkam-gimp_0.1.18-1_amd64.deb gtkam-dbg_0.1.18-1_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1r96jw-vi...@franck.debian.org
gtkam_0.1.18-1_amd64.changes ACCEPTED into unstable
Accepted: gtkam-dbg_0.1.18-1_amd64.deb to main/g/gtkam/gtkam-dbg_0.1.18-1_amd64.deb gtkam-gimp_0.1.18-1_amd64.deb to main/g/gtkam/gtkam-gimp_0.1.18-1_amd64.deb gtkam_0.1.18-1.diff.gz to main/g/gtkam/gtkam_0.1.18-1.diff.gz gtkam_0.1.18-1.dsc to main/g/gtkam/gtkam_0.1.18-1.dsc gtkam_0.1.18-1_amd64.deb to main/g/gtkam/gtkam_0.1.18-1_amd64.deb gtkam_0.1.18.orig.tar.gz to main/g/gtkam/gtkam_0.1.18.orig.tar.gz Override entries for your package: gtkam-dbg_0.1.18-1_amd64.deb - extra debug gtkam-gimp_0.1.18-1_amd64.deb - extra graphics gtkam_0.1.18-1.dsc - source graphics gtkam_0.1.18-1_amd64.deb - extra graphics Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 608433 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1r96xk-0002cg...@franck.debian.org
