Package: ca-certificates Version: 20110502+nmu1 Severity: serious Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu oneiric ubuntu-patch
Hi See also: https://bugs.launchpad.net/ubuntu/oneiric/+source/ca-certificates/+bug/854927 ca-certificates.postinst runs: # Call c_rehash when upgrading from older versions to that we # have both the old and new style of symlink if [ ! -z "$2" ]; then if dpkg --compare-versions "$2" le 20090814+nmu3; then c_rehash fi fi but a plain c_rehash call is wrong because at this point there might be a /etc/ssl/certs/ca-certificates.crt file with all certificates that c_rehash picks up and links to. Instead, this file should be removed, then c_rehash should be called after clearing all other symlinks, then ca-certificates.crt should be regenerated. update-ca-certificates --fresh is meant to do that, but didn't move /etc/ssl/certs/ca-certificates.crt away. The attached patch moves /etc/ssl/certs/ca-certificates.crt away (credit to Steve Langasek for fixing this), and removes the c_rehash upgrade snippet in favor. NB: The patch needs to be updated with this bug number and the uploaded version (see XXXs in patch). Cheers, -- Loïc Minier
diff -Nru ca-certificates-20110502+nmu1/debian/changelog ca-certificates-20110502+nmu2/debian/changelog --- ca-certificates-20110502+nmu1/debian/changelog 2011-08-31 04:02:49.000000000 +0200 +++ ca-certificates-20110502+nmu2/debian/changelog 2011-09-28 15:45:59.000000000 +0200 @@ -1,3 +1,18 @@ +ca-certificates (20110502+nmu2) UNRELEASED; urgency=low + + [ Steve Langasek ] + * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of + the way before calling c_rehash, so that symlinks don't accidentally get + pointed here, breaking openssl certificate verification. LP: #854927. + + [ Loïc Minier ] + * Drop bogus c_rehash on upgrades, which caused issue when + ca-certificates.crt was still in place; instead, call + update-ca-certificates --fresh on upgrades to this version, and + the usual update-ca-certificates otherwise; closes: #XXX. + + -- Loïc Minier <l...@debian.org> Wed, 28 Sep 2011 15:44:05 +0200 + ca-certificates (20110502+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ca-certificates-20110502+nmu1/debian/postinst ca-certificates-20110502+nmu2/debian/postinst --- ca-certificates-20110502+nmu1/debian/postinst 2011-04-21 19:37:20.000000000 +0200 +++ ca-certificates-20110502+nmu2/debian/postinst 2011-09-28 15:42:28.000000000 +0200 @@ -137,13 +137,12 @@ -e 's/^[[:space:]]*1[[:space:]]*/!/' \ >> /etc/ca-certificates.conf fi - update-ca-certificates - # Call c_rehash when upgrading from older versions to that we - # have both the old and new style of symlink - if [ ! -z "$2" ]; then - if dpkg --compare-versions "$2" le 20090814+nmu3; then - c_rehash - fi + # fix bogus symlink to ca-certificates.crt on upgrades; see + # Debian #XXX; drop after wheezy + if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+XXX; then + update-ca-certificates --fresh + else + update-ca-certificates fi ;; diff -Nru ca-certificates-20110502+nmu1/sbin/update-ca-certificates ca-certificates-20110502+nmu2/sbin/update-ca-certificates --- ca-certificates-20110502+nmu1/sbin/update-ca-certificates 2009-07-08 23:23:12.000000000 +0200 +++ ca-certificates-20110502+nmu2/sbin/update-ca-certificates 2011-09-28 15:43:57.000000000 +0200 @@ -127,8 +127,7 @@ done fi -chmod 0644 "$TEMPBUNDLE" -mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +rm -f "$CERTBUNDLE" ADDED_CNT=$(wc -l < "$ADDED") REMOVED_CNT=$(wc -l < "$REMOVED") @@ -144,6 +143,9 @@ fi fi +chmod 0644 "$TEMPBUNDLE" +mv -f "$TEMPBUNDLE" "$CERTBUNDLE" + echo "$ADDED_CNT added, $REMOVED_CNT removed; done." HOOKSDIR=/etc/ca-certificates/update.d