Broken symlinks on upgrade due to plain c_rehash call #643667

diff --git a/debian/changelog b/debian/changelog
index c92416deee9956e18db7bb6fa63b928a1e8db785..b4e956dee6affada9d93acaa9acd267f367cc4d6 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+ca-certificates (20111024) UNRELEASED; urgency=low
+
+  [ Steve Langasek ]
+  * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
+    the way before calling c_rehash, so that symlinks don't accidentally get
+    pointed here, breaking openssl certificate verification  LP: #854927
+
+  [ Loïc Minier ]
+  * Drop bogus c_rehash on upgrades, which caused issue when
+    ca-certificates.crt was still in place; instead, call
+    update-ca-certificates --fresh on upgrades to this version, and
+    the usual update-ca-certificates otherwise  Closes: #643667
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 24 Oct 2011 18:44:13 -0500
+

 ca-certificates (20111023) unstable; urgency=low
 
   * Add 3.0 (native) source format
 ca-certificates (20111023) unstable; urgency=low
 
   * Add 3.0 (native) source format

diff --git a/debian/postinst b/debian/postinst
index b2772819c3f2cc6dad4a9cc324505907520cb3b3..21d1b94aceb2ebc15ca34aa78e50a2d9b5cdeba9 100644 (file)
--- a/debian/postinst
+++ b/debian/postinst
@@ -137,13 +137,12 @@ EOF
                -e 's/^[[:space:]]*1[[:space:]]*/!/' \
            >> /etc/ca-certificates.conf
        fi
                -e 's/^[[:space:]]*1[[:space:]]*/!/' \
            >> /etc/ca-certificates.conf
        fi

-       update-ca-certificates
-       # Call c_rehash when upgrading from older versions to that we
-       # have both the old and new style of symlink
-       if [ ! -z "$2" ]; then
-         if dpkg --compare-versions "$2" le 20090814+nmu3; then
-           c_rehash
-         fi
+       # fix bogus symlink to ca-certificates.crt on upgrades; see
+       # Debian #643667; drop after wheezy
+       if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+643667; then
+           update-ca-certificates --fresh
+       else
+           update-ca-certificates

        fi
     ;;
 
        fi
     ;;
 

diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index fc083d77dfce5f6a08ca5ca47282a3ba420752a8..53759501cfcf738992e10b2ad075962cc50e2b6a 100755 (executable)
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -127,8 +127,7 @@ then
   done
 fi
 
   done
 fi
 

-chmod 0644 "$TEMPBUNDLE"
-mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+rm -f "$CERTBUNDLE"

 
 ADDED_CNT=$(wc -l < "$ADDED")
 REMOVED_CNT=$(wc -l < "$REMOVED")
 
 ADDED_CNT=$(wc -l < "$ADDED")
 REMOVED_CNT=$(wc -l < "$REMOVED")


@@ -144,6 +143,9 @@ then
   fi
 fi
 
   fi
 fi
 

+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+

 echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
 
 HOOKSDIR=/etc/ca-certificates/update.d
 echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
 
 HOOKSDIR=/etc/ca-certificates/update.d