437964 – dev-cvs/mercurial-9999 - certificates issue

Bug 437964 - dev-cvs/mercurial-9999 - certificates issue

Summary: dev-cvs/mercurial-9999 - certificates issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	429470
Blocks:
	Show dependency tree

Reported:	2012-10-11 11:57 UTC by nevermind
Modified:	2014-06-22 17:16 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description nevermind 2012-10-11 11:57:24 UTC

Using live mercrurial (BitBucket) ebuild I'm getting this:

warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)

that should be solvable by adding certificates to ~/.hgrc but portage is not simple user...

what we have discussed so far:

<zmedico> nCdy: you could try copying the files into the temporary $HOME inside a /etc/portage/bashrc hook, like pre_pkg_setup

<ryao> nCdy: This is bitbucket. I am sure that we have plenty of live ebuilds in the tree that fetch from it. If you are having this issue, then those ebuilds have this issue. It is a security vulnerability.
<ryao> In fact, we probably shouldn't permit the fetch to function unless a chain of trust is established.

<nCdy> ryao: this sercificates is here: /etc/ssl/certs/ca-certificates.crt the only thing I need (looks like) is just point /etc/mercurial/hgrc to it

Please move this ebuild in correct section if this one is wrong.

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2012-10-11 12:15:28 UTC


*** This bug has been marked as a duplicate of bug 429470 ***

Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev

2012-10-11 12:16:21 UTC

Ah, sorry, didn't see that this was a security bug.

Comment 3 Nikolaj Šujskij 2013-04-03 18:08:32 UTC

We could install `/etc/mercurial/hgrc.d/cacerts.rc`:

[web]
cacerts = /etc/ssl/certs/ca-certificates.crt

This makes Mercurial use system certificates.

Comment 4 Christoph Junghans (RETIRED) gentoo-dev

2014-03-25 21:51:44 UTC

Strange, mercurial.eclass (source of src_unpack) uses:
[[ -f ${EPREFIX}/etc/ssl/certs/ca-certificates.crt ]] && cert_opt=( --config "web.cacerts=${EPREFIX}/etc/ssl/certs/ca-certificates.crt" )

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-06-22 17:16:29 UTC

This issue is resolved at this point through changes to both mercurial eclass and default .hgrc in mercurial package itself. Not a glsa issue.