[Pkg-openssl-devel] Bug#934921: openssl: Wrong regular expression in /usr/bin/c_rehash

[Marcus C. Gottwald]

Andreas Gryphius wrote (Fri 2019-Aug-16 18:22:00 +0200):

> the perl script /usr/bin/c_rehash contains a line (#123)
> 
> FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
> 
> where I think the regex grouping is wrong.
> Obviously it is intended to find only files with the listed suffixes.
> But it also finds files with "crt" or "cer" just anywhere within the
> filename. For example it would find the file "i_am_not_a_cert_file.pdf"

That behaviour caused a (small) security incident for me. I had
renamed files containing CA certificates which should no longer be
trusted, expecting c_rehash to delete and not re-create symlinks
to those files. However, c_rehash unexpectedly re-created the
symlinks, and the application verifying certificates unexpectedly
found and thus kept trusting those CA certificates.

If c_rehash's current behaviour is intended, at least the man page
should reflect that, I guess. The man page currently says:

   rehash scans directories and calculates a hash value of
   each ".pem", ".crt", ".cer", or ".crl" file

Thanks, Marcus

-- 
   Marcus C. Gottwald  ·  <mcg at cheers.de>  ·  @mcg:cheers.de