Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 381169 - <app-misc/ca-certificates-20110502-r1: Remove DigiNotar Root CA
Summary: <app-misc/ca-certificates-20110502-r1: Remove DigiNotar Root CA
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-30 13:38 UTC by Alex Legler (RETIRED)
Modified: 2014-12-12 00:38 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Adds -r1 version with nmu1 update (ca-certificates-diginotar.patch,4.83 KB, patch)
2011-08-31 21:24 UTC, Ole Henrik Jahren
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-30 13:38:54 UTC
DigiNotar recently issued a fraudulent certificate [1] for *.google.com [2]

There's a request in the Debian Bug tracker ($URL) to remove the CA from ca-certificates. I'm filing this bug to track the issue until they have decided about the request.

[1] http://pastebin.com/ff7Yg663
[2] http://www.h-online.com/open/news/item/Fraudulent-certificate-triggers-blocking-from-software-companies-1333088.html
Comment 1 SpanKY gentoo-dev 2011-08-30 14:43:25 UTC
i think the phrasing is off slightly, but critically.  diginotar's own website indicates that they didnt issue it but rather were the subject of an attack on their systems.

http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

also, punting their root cert would probably break many official Dutch gov't websites.  sounds like a crappy situation.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-30 15:27:18 UTC
(In reply to comment #1)
> 
> also, punting their root cert would probably break many official Dutch gov't
> websites.  sounds like a crappy situation.

Mozilla has announced to remove it from upcoming releases:
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
Comment 3 SpanKY gentoo-dev 2011-08-30 20:05:07 UTC
my point was that the wording could have an impact on the decision.

bad signing authority not checking credentials -> punt its certs (e.g. comodo)

system that got hacked -> revoke hacked certs

of course, if upstream Debian ca-certificates decides to drop it, that's fine by me as it's one less thing to deal with
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-31 10:59:46 UTC
(In reply to comment #3)
> of course, if upstream Debian ca-certificates decides to drop it, that's fine
> by me as it's one less thing to deal with

ca-certificates-20110502+nmu1 was released:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639744#58
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-08-31 17:30:03 UTC
20110502 is in, but please double check if it's the nmu or not, I don't see the nmu on the mirrors that I looked at.
Comment 6 Ole Henrik Jahren 2011-08-31 21:22:24 UTC
The 20110502 currently in tree is not the nmu1 version, and it does install
the DigiNotar certificate as trusted. I found the nmu1 version at [1]. Simply
adding '+nmu1' after ${PV} in SRC_URI installs the mnu1 version with
DigiNotar blacklisted for me.

[1] http://packages.debian.org/sid/ca-certificates
Comment 7 Ole Henrik Jahren 2011-08-31 21:24:19 UTC
Created attachment 285201 [details, diff]
Adds -r1 version with nmu1 update
Comment 8 SpanKY gentoo-dev 2011-08-31 21:37:26 UTC
Comment on attachment 285201 [details, diff]
Adds -r1 version with nmu1 update

dont do this.  while we want to see patches, we actually want the diff showing the exact change made, not a file-in-disguise-as-a-patch.

i.e.:

--- ca-certificates-20110502.ebuild
+++ ca-certificates-20110502.ebuild
@@ -6,7 +6,7 @@
 
 DESCRIPTION="Common CA Certificates PEM files"
 HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}_all.deb"
+SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}+nmu1_all.deb"
 
 LICENSE="MPL-1.1"
 SLOT="0"
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-09-01 04:42:18 UTC
new version in the tree now. Ready for stable + GLSA.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-09-01 05:02:43 UTC
Arches, please test and mark stable:
=app-misc/ca-certificates-20110502-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 11 Agostino Sarubbo gentoo-dev 2011-09-01 10:59:01 UTC
Not a blocker, but is a bit to open a new bug. Please fix:

dependency.unknown :
app-misc/ca-certificates/ca-certificates-20110502-r1.ebuild: DEPEND: sys-apps/mktemp
   app-misc/ca-certificates/ca-certificates-20110502-r1.ebuild: RDEPEND: sys-apps/mktemp

there isn't mktemp in tree.

amd64 ok
Comment 12 SpanKY gentoo-dev 2011-09-01 13:43:54 UTC
not a bug
Comment 13 Tobias Klausmann gentoo-dev 2011-09-01 13:58:13 UTC
Stable on alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2011-09-01 14:00:18 UTC
Confirmed also for x86.
Comment 15 Tony Vroon gentoo-dev 2011-09-01 14:13:53 UTC
+  01 Sep 2011; Tony Vroon <chainsaw@gentoo.org>
+  ca-certificates-20110502-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+  security bug #381169 filed by Alex "a3li" Legler.
Comment 16 edoceo 2011-09-02 17:43:38 UTC
This ebuild warned me about using UTF-8 (which I already do!) which I thought was odd.  It also points users to this localization guide:

  http://www.gentoo.org/doc/en/guide-localization.xml

But that guide is well out-dated - referencing files that no-longer exist after the updated baselayout+openrc
Comment 17 zolar czakl 2011-09-02 18:01:21 UTC
The stable version of dev-libs/nss share the same security problem (so xulrunner...).

mozilla/security/nss/lib/ckfw/builtins/certdata.txt
mozilla/security/nss/lib/ckfw/builtins/certdata.c
Comment 18 SpanKY gentoo-dev 2011-09-02 19:00:15 UTC
(In reply to comment #16)

no idea what you're talking about.  this ebuild has nothing to do with charset encodings or localization.
Comment 19 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-03 05:51:55 UTC
Stable for HPPA.
Comment 20 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-03 08:54:31 UTC
(In reply to comment #18)
> (In reply to comment #16)
> 
> no idea what you're talking about.  this ebuild has nothing to do with charset
> encodings or localization.

I think he meant that:

 * This package installs one or more file names containing characters that
 * do not match your current locale settings. The current setting for
 * filesystem encoding is 'ANSI_X3.4-1968'.
 * 
 *      usr/share/ca-certificates/mozilla/AC_Ra\ufffd\ufffdz_Certic\ufffd\ufffdmara_S.A..crt
 *      usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa\ufffd\ufffdlay\ufffd\ufffdc\ufffd\ufffds\ufffd\ufffd.crt
 *      usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_F\ufffd\ufffdtan\ufffd\ufffds\ufffd\ufffdtv\ufffd\ufffdny.crt
 *      usr/share/ca-certificates/mozilla/T\ufffd\ufffdB\ufffd\ufffdTAK_UEKAE_K\ufffd\ufffdk_Sertifika_Hizmet_Sa\ufffd\ufffdlay\ufffd\ufffdc\ufffd\ufffds\ufffd\ufffd_-_S\ufffd\ufffdr\ufffd\ufffdm_3.crt

ppc/ppc64 stable
Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2011-09-03 13:15:27 UTC
arm/ia64/m68k/s390/sh/sparc/x86 stable
Comment 22 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 00:28:39 UTC
Thanks, everyone. GLSA Vote: no.
Comment 23 Faustus 2011-09-04 04:01:03 UTC
Probably not a bug, but:

/usr/share/ca-certificates/mozilla/IGC_A.crt
  and
/usr/share/ca-certificates/gouv.fr/cert_igca_rsa.crt

are identical, update-ca-certificates issues a warning.
Comment 24 SpanKY gentoo-dev 2011-09-07 03:54:21 UTC
(In reply to comment #22)

really ??

(In reply to comment #23)

new issue -> new bug
Comment 25 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:11:07 UTC
Added to pending GLSA request.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:38:34 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).