Bug #14510
closed
ca-certificates contains a non UTF-8 path
0%
Description
In the ca-certificates package, this is not a UTF-8 pathname. It should be mangled into one somehow:
./etc/certs/CA/NetLock_Arany_(Class_Gold)_Főtanúsítvány.pem
Anything that expects sensible path names only (such as tar(1)) can't deal with this.
Related issues
Updated by David Stes almost 2 years ago
- Related to Bug #11625: zoneadm install fails: UnicodeEncodeError: 'ascii' codec can't encode character '\u0151' in position 68: ordinal not in range(128) added
Updated by David Stes almost 2 years ago
- Related to Bug #11898: Multiple errors for openindiana/slim_source on SPARC added
Updated by David Stes almost 2 years ago
The certificates are built from a Mozilla source, the file certdata.txt from their NSS product, using a script from libcurl.
In the past , Michael Nowak solved this issue by mangling the UTF-8 filename into a ASCII filename (see bug #11625).
I have created a pull request to just delete/remove the certificate and filter it out (comment it out) from the manifest.
I'll also create a request for pkglint (which verifies the manifest) to warn on non-ASCII filenames although that it is reasonable to deliver UTF-8 filenames for some applications or packages.
Mozilla is encouraging to 'filter' the certificates as required anyway and has stated that certificates in certdata.txt are NOT necessarily to be trusted : [[https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/]]
Updated by David Stes almost 2 years ago
- Related to Feature #14540: pkglint verification of UTF-8 filenames added
Updated by David Stes almost 2 years ago
I think the subject line or title of this bug is "ca-certificates contains a non-ASCII path" because the problematic path is UTF-8.
The problematic path uses UTF-8 encoding and not LATIN-2 (which would also be possible for Hungarian script).
I think this is a valid UTF-8 path for the Hungarian script.
In the past , version 1.0-2020.0.1.7 of crypto/ca-certificates had a fix for this UTF-8 path and it was fixed to an ASCII path:
etc/certs/CA/NetLock_Arany_(Class_Gold)_Fotanusitvany.pem
Note that the double acute on the small latin o letter is not there.
Unfortunately this fix by Michal Nowak was lost during upgrade of the ca-certificates package and versions crypto/ca-certificates 3.71-2020.0.1.0, 3.71-2020.0.1.1 and 3.74-2022.0.0.0 had the UTF-8 path again.
To my knowledge, the TAR command has no problem with this UTF-8 path because a simple test to create and extract a TAR archive from /etc/certs/CA works for me with the UTF-8 path in it.
However there were other issues with this particular certificate reported in the related bugs #11625 and #11898 .
For example in #11625 it was reported that zoneadm install failed.
And for example in #11898 it was reported that the UTF8 paths caused issues for building openindiana/slim_source.
In version 3.75-2022.0.0.0 it is fixed again.
My proposal to remove the certificate was rejected, but the following rename was accepted:
etc/certs/CA/NetLock_Arany_(Class_Gold)_Ftanstvny.pem
This is a 7bit ASCII path built from the UTF-8 path removing non-ASCII characters.
So this bug in ca-certificates is fixed again in 3.75 - reverts back to the old behavior from version 1.0-2020.0.1.7.
Updated by David Stes over 1 year ago
- Related to Bug #14551: DST_Root_CA_X3.pem expired added
Updated by