Bug 174759

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-04-16 08:46:59 UTC

vapier/agriffis please advise.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-02 11:17:05 UTC

vapier/agriffis please advise.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-20 07:22:28 UTC

vapier/agriffis please advise.

Comment 4 SpanKY 2007-05-20 09:05:29 UTC

Robin's analysis of the situation is correct ... this is the same reason we stopped managing things like /etc/shadow in baselayout's src_install function ...

docert() should be rewritten to only allow it to be run inside of pkg_preinst()

ive never touched that eclass before, so ...

Comment 5 SpanKY 2007-07-23 01:01:53 UTC

i'd say with the recent changes portage has seen, this should be fixed now

Comment 6 Robin Johnson 2007-07-24 07:49:33 UTC

spanky: could you clarify which changes you are talking about?

Comment 7 Pierre-Yves Rofes (RETIRED) 2007-08-21 14:32:13 UTC

someone just posted on this issue on the -dev mailing-list, maybe we should make it public now. Any opinions?

Comment 8 Robin Johnson 2007-08-21 20:33:22 UTC

As the original reporter, I say open it, so that we can get some traction in getting it fixed all over the tree.

The only things needing nuking are public tinderboxes.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2007-08-21 20:42:11 UTC

Opening.

Comment 10 SpanKY 2007-08-21 23:04:36 UTC

sorry, i was thinking in terms of "binpkgs being world readable" and "portage doesnt consume /etc by default with quickpkg and friends" ... but the use case here doesnt fully apply (packages generating unique keys on each host), so the proposed route of pkg_postinst() is the only one i think

easy enough to add to the top of the docert() function:
case ${EBUILD_PHASE} in
    unpack|compile|test|install)  die "BOO";;
esac

Comment 11 Ulrich Müller 2007-11-03 11:05:42 UTC

"docert" doesn't work inside pkg_postinst at the moment, probably related to
bug #197942.

Comment 12 Ulrich Müller 2007-12-01 23:50:08 UTC

Created attachment 137516 [details, diff]
Proposed patch for docert()

- Check for ebuild phase as suggested in comment #10
- Install relative to ${ROOT} instead of ${D}${INSDESTTREE}
- Arguments must be a full path now

Maybe the function should also be renamed, since it's no longer similar to other do* functions?

Comment 13 Robin Johnson 2007-12-01 23:58:35 UTC

Patch looks good to me.

Comment 14 Ulrich Müller 2007-12-02 00:19:25 UTC

The following packages will have to be changed then. They either call docert in src_install and suffer from the security issue of this bug, or they call it in pkg_postinst where it doesn't work at all (that is bug #197942).

src_install usage:
  app-admin/conserver
  mail-mta/postfix
  net-analyzer/sguil-server
  net-firewall/nufw
  net-ftp/netkit-ftpd
  net-im/ejabberd
  net-irc/ptlink-ircd
  net-irc/unrealircd
  net-mail/cyrus-imapd
  net-mail/dovecot
  net-misc/stunnel
  net-nntp/inn

pkg_postinst usage:
  net-mail/cyrus-imspd
  net-nds/openldap
  www-servers/nginx

Comment 15 Robert Buchholz (RETIRED) 2007-12-04 01:02:21 UTC

Ulrich, how do you propose we proceed now? The commit can only be done if all ebuilds (stable and unstable) are fixed for this?

Just open bugs and bug maintainers? Or would it be advisable to announce this migration and change the ebuilds by ourselves?

Comment 16 Robin Johnson 2007-12-04 01:13:37 UTC

unless I'm mistaken, the ones in pkg_postinst should just start to work after applying this patch? And all the ebuilds should be converted to use the functions in either postinst or config phases?

One patch review comment, in the loop commented with "# Check for previous existence of generated files", we should probably check all 4 file suffixes (.csr is not checked).

Comment 17 Ulrich Müller 2007-12-04 07:12:33 UTC

(In reply to comment #15)
> Ulrich, how do you propose we proceed now? The commit can only be done if all
> ebuilds (stable and unstable) are fixed for this?

If we rename the function ("install_cert"?) we could add the new one, fix all ebuilds and finally replace docert by a dummy (or remove it completely).

> Just open bugs and bug maintainers?

I would say yes.

(In reply to comment #16)
> unless I'm mistaken, the ones in pkg_postinst should just start to work after
> applying this patch?

Unfortunately they must be changed, too, since they rely on INSDESTTREE.

> we should probably check all 4 file suffixes (.csr is not checked).

It did not check for .csr before. I don't see a reason why it shouldn't, though.

Comment 18 Ulrich Müller 2007-12-07 22:58:26 UTC

Updated ssl-cert.eclass committed. Function "docert" has been copied to a new function "install_cert", modified according to comment #12.

Adding package maintainers to CC, please fix your packages mentioned in comment #14 to use "install_cert" in pkg_postinst or pkg_config. Since it is a security issue, and we also want to get rid of the duplicate code in the eclass, I will fix any remaining packages after 14 days.

"docert" will then be replaced by a dummy function that forcibly fails.

Comment 19 Ulrich Müller 2007-12-08 10:42:50 UTC

net-misc/stunnel fixed, bug #197881.

Comment 20 Ulrich Müller 2007-12-08 11:17:38 UTC

app-admin/conserver fixed (and bumped to 8.1.16) since it's maintainer-needed.

Comment 21 Robert Buchholz (RETIRED) 2007-12-08 14:35:19 UTC

Creating seperate bugs.

Comment 22 Konstantin Arkhipov (RETIRED) 2007-12-09 14:28:58 UTC

www-servers/nginx fixed.

Comment 23 Ulrich Müller 2008-03-14 13:33:17 UTC

All packages on all supported arches are done.

Only mail-mta/postfix keywording on mips and stabilisation on arm/s390/sh (bug 201671) are still missing. After that, we can replace the docert function in the eclass by a dummy.

Comment 24 Robert Buchholz (RETIRED) 2008-03-20 01:22:34 UTC

This was sent as GLSA 200803-30.

I'll leave this bug open until all packages are fixed and the eclass corrected.

Comment 25 Ulrich Müller 2008-04-14 06:44:24 UTC

Eclass corrected: "docert" replaced by a dummy function.
All ebuilds that were affected by this issue have been removed from the tree.