Project

General

Profile

Actions

Bug #14510

closed

ca-certificates contains a non UTF-8 path

Added by Rich Lowe 8 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OI-Userland
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:

Description

In the ca-certificates package, this is not a UTF-8 pathname. It should be mangled into one somehow:

./etc/certs/CA/NetLock_Arany_(Class_Gold)_Főtanúsítvány.pem

Anything that expects sensible path names only (such as tar(1)) can't deal with this.


Related issues

Related to OpenIndiana Distribution - Bug #11625: zoneadm install fails: UnicodeEncodeError: 'ascii' codec can't encode character '\u0151' in position 68: ordinal not in range(128)ClosedOI PKG

Actions
Related to OpenIndiana Distribution - Bug #11898: Multiple errors for openindiana/slim_source on SPARCNewOI Userland

Actions
Related to OpenIndiana Distribution - Feature #14540: pkglint verification of UTF-8 filenamesNewOI PKG

Actions
Related to OpenIndiana Distribution - Bug #14551: DST_Root_CA_X3.pem expiredResolvedOI Userland2021-09-302022-03-03

Actions
Actions #1

Updated by David Stes 7 months ago

  • Related to Bug #11625: zoneadm install fails: UnicodeEncodeError: 'ascii' codec can't encode character '\u0151' in position 68: ordinal not in range(128) added
Actions #2

Updated by David Stes 7 months ago

  • Related to Bug #11898: Multiple errors for openindiana/slim_source on SPARC added
Actions #3

Updated by David Stes 7 months ago

The certificates are built from a Mozilla source, the file certdata.txt from their NSS product, using a script from libcurl.

In the past , Michael Nowak solved this issue by mangling the UTF-8 filename into a ASCII filename (see bug #11625).

I have created a pull request to just delete/remove the certificate and filter it out (comment it out) from the manifest.

I'll also create a request for pkglint (which verifies the manifest) to warn on non-ASCII filenames although that it is reasonable to deliver UTF-8 filenames for some applications or packages.

Mozilla is encouraging to 'filter' the certificates as required anyway and has stated that certificates in certdata.txt are NOT necessarily to be trusted : [[https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/]]

Actions #4

Updated by David Stes 7 months ago

  • Related to Feature #14540: pkglint verification of UTF-8 filenames added
Actions #5

Updated by David Stes 7 months ago

I think the subject line or title of this bug is "ca-certificates contains a non-ASCII path" because the problematic path is UTF-8.

The problematic path uses UTF-8 encoding and not LATIN-2 (which would also be possible for Hungarian script).

I think this is a valid UTF-8 path for the Hungarian script.

In the past , version 1.0-2020.0.1.7 of crypto/ca-certificates had a fix for this UTF-8 path and it was fixed to an ASCII path:


etc/certs/CA/NetLock_Arany_(Class_Gold)_Fotanusitvany.pem

Note that the double acute on the small latin o letter is not there.

Unfortunately this fix by Michal Nowak was lost during upgrade of the ca-certificates package and versions crypto/ca-certificates 3.71-2020.0.1.0, 3.71-2020.0.1.1 and 3.74-2022.0.0.0 had the UTF-8 path again.

To my knowledge, the TAR command has no problem with this UTF-8 path because a simple test to create and extract a TAR archive from /etc/certs/CA works for me with the UTF-8 path in it.

However there were other issues with this particular certificate reported in the related bugs #11625 and #11898 .

For example in #11625 it was reported that zoneadm install failed.

And for example in #11898 it was reported that the UTF8 paths caused issues for building openindiana/slim_source.

In version 3.75-2022.0.0.0 it is fixed again.

My proposal to remove the certificate was rejected, but the following rename was accepted:

etc/certs/CA/NetLock_Arany_(Class_Gold)_Ftanstvny.pem

This is a 7bit ASCII path built from the UTF-8 path removing non-ASCII characters.

So this bug in ca-certificates is fixed again in 3.75 - reverts back to the old behavior from version 1.0-2020.0.1.7.

Actions #6

Updated by David Stes 7 months ago

  • Related to Bug #14551: DST_Root_CA_X3.pem expired added
Actions #7

Updated by Andreas Wacknitz 6 months ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF