From 26c8042c69f3424e5c3d7e93a9915725fee6742a Mon Sep 17 00:00:00 2001 From: Michael Shuler Date: Mon, 24 Oct 2011 19:03:59 -0500 Subject: [PATCH] Broken symlinks on upgrade due to plain c_rehash call #643667 --- debian/changelog | 15 +++++++++++++++ debian/postinst | 13 ++++++------- sbin/update-ca-certificates | 6 ++++-- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index c92416d..b4e956d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +ca-certificates (20111024) UNRELEASED; urgency=low + + [ Steve Langasek ] + * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of + the way before calling c_rehash, so that symlinks don't accidentally get + pointed here, breaking openssl certificate verification LP: #854927 + + [ Loïc Minier ] + * Drop bogus c_rehash on upgrades, which caused issue when + ca-certificates.crt was still in place; instead, call + update-ca-certificates --fresh on upgrades to this version, and + the usual update-ca-certificates otherwise Closes: #643667 + + -- Michael Shuler Mon, 24 Oct 2011 18:44:13 -0500 + ca-certificates (20111023) unstable; urgency=low * Add 3.0 (native) source format diff --git a/debian/postinst b/debian/postinst index b277281..21d1b94 100644 --- a/debian/postinst +++ b/debian/postinst @@ -137,13 +137,12 @@ EOF -e 's/^[[:space:]]*1[[:space:]]*/!/' \ >> /etc/ca-certificates.conf fi - update-ca-certificates - # Call c_rehash when upgrading from older versions to that we - # have both the old and new style of symlink - if [ ! -z "$2" ]; then - if dpkg --compare-versions "$2" le 20090814+nmu3; then - c_rehash - fi + # fix bogus symlink to ca-certificates.crt on upgrades; see + # Debian #643667; drop after wheezy + if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+643667; then + update-ca-certificates --fresh + else + update-ca-certificates fi ;; diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index fc083d7..5375950 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -127,8 +127,7 @@ then done fi -chmod 0644 "$TEMPBUNDLE" -mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +rm -f "$CERTBUNDLE" ADDED_CNT=$(wc -l < "$ADDED") REMOVED_CNT=$(wc -l < "$REMOVED") @@ -144,6 +143,9 @@ then fi fi +chmod 0644 "$TEMPBUNDLE" +mv -f "$TEMPBUNDLE" "$CERTBUNDLE" + echo "$ADDED_CNT added, $REMOVED_CNT removed; done." HOOKSDIR=/etc/ca-certificates/update.d -- 2.39.2