[Pkg-openssl-devel] Bug#934921: openssl: Wrong regular expression in /usr/bin/c_rehash
Marcus C. Gottwald
mcg at cheers.de
Sun Mar 14 16:58:27 GMT 2021
Andreas Gryphius wrote (Fri 2019-Aug-16 18:22:00 +0200):
> the perl script /usr/bin/c_rehash contains a line (#123)
>
> FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
>
> where I think the regex grouping is wrong.
> Obviously it is intended to find only files with the listed suffixes.
> But it also finds files with "crt" or "cer" just anywhere within the
> filename. For example it would find the file "i_am_not_a_cert_file.pdf"
That behaviour caused a (small) security incident for me. I had
renamed files containing CA certificates which should no longer be
trusted, expecting c_rehash to delete and not re-create symlinks
to those files. However, c_rehash unexpectedly re-created the
symlinks, and the application verifying certificates unexpectedly
found and thus kept trusting those CA certificates.
If c_rehash's current behaviour is intended, at least the man page
should reflect that, I guess. The man page currently says:
rehash scans directories and calculates a hash value of
each ".pem", ".crt", ".cer", or ".crl" file
Thanks, Marcus
--
Marcus C. Gottwald · <mcg at cheers.de> · @mcg:cheers.de
More information about the Pkg-openssl-devel
mailing list