Bug 21571

Summary:	Updated perl causes rootcerts to be unbuildable
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	RPM Packages	Assignee:	Shlomi Fish <shlomif>
Status:	RESOLVED FIXED	QA Contact:
Severity:	critical
Priority:	Normal	CC:	mageia, marja11
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	perl	CVE:
Status comment:

Description David Walser 2017-08-20 01:17:26 CEST

http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170808235931.luigiwalser.duvel.19219/log/rootcerts-20170718.00-1.mga7/build.0.20170809000011.log

It builds fine in Mageia 5 and Mageia 6.

Comment 1 Marja Van Waes 2017-08-21 20:46:11 CEST

Assigning to the registered maintainer of perl.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Sander Lepik 2017-08-21 22:27:29 CEST

I'm not so sure it's perl to blame here.

I debugged the process a bit and before the failing command I ran ls -l certs.

On mga6 the result is different:

ls -l certs
total 1376
lrwxrwxrwx 1 sander sander   43 Aug 21 20:20 02265526.0 -> entrust-root-certification-authority-01.pem
lrwxrwxrwx 1 sander sander   36 Aug 21 20:20 03179a64.0 -> staat-der-nederlanden-ev-root-ca.pem
lrwxrwxrwx 1 sander sander   17 Aug 21 20:20 062cdee6.0 -> globalsign-01.pem
lrwxrwxrwx 1 sander sander   25 Aug 21 20:20 064e0aa9.0 -> quovadis-root-ca-2-g3.pem
...
...

vs on mga7:

ls -l certs
total 1376
-rw-r--r-- 1 sander sander 4307 Aug 21 20:24 -00.pem
-rw-r--r-- 1 sander sander 4651 Aug 21 20:24 -01.pem
-rw-r--r-- 1 sander sander 4475 Aug 21 20:24 -02.pem
-rw-r--r-- 1 sander sander 4471 Aug 21 20:24 -03.pem
-rw-r--r-- 1 sander sander 4475 Aug 21 20:24 -04.pem
...
...
lrwxrwxrwx 1 sander sander    8 Aug 21 20:24 02265526.0 -> -147.pem
lrwxrwxrwx 1 sander sander    8 Aug 21 20:24 03179a64.0 -> -143.pem
...
...

The naming goes wrong and that's why ln -s fails.

CC: (none) => mageia

Comment 3 Sander Lepik 2017-08-21 23:00:00 CEST

Hmm, debugging it more I can see that it's probably mkcerts.pl that is bogus.

Comment 4 Sander Lepik 2017-08-22 09:42:31 CEST

I found the bug, not quite sure how to fix it though..

It's actually openssl that has changed its output:

On mga6:

openssl x509 -subject <pem/-00.pem
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

And on mga7:

openssl x509 -subject <pem/-00.pem
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

Regex in mkcerts.pl fails to parse this new format.

Comment 5 Sander Lepik 2017-08-22 11:17:41 CEST

Not sure if the fix was best possible, but only few certs got new name after my changes:

diff 6.txt 7.txt 
121c121
< /etc/pki/tls/rootcerts/ac-ra-xc3-xadz-certic-xc3-xa1mara.pem
---
> /etc/pki/tls/rootcerts/ac-ra-z-certic-mara-s-a.pem
167a168
> /etc/pki/tls/rootcerts/ca-u6c83-u901a-u6839-u8bc1-u4e66.pem
169d169
< /etc/pki/tls/rootcerts/ca-xe6-xb2-x83-xe9-x80-x9a-xe6.pem
182c182
< /etc/pki/tls/rootcerts/certinomis-autorit-xc3-xa9-racine.pem
---
> /etc/pki/tls/rootcerts/certinomis-autorit-racine.pem
297c297
< /etc/pki/tls/rootcerts/netlock-arany-class-gold-f-xc5.pem
---
> /etc/pki/tls/rootcerts/netlock-arany-class-gold-f-u0151tan.pem
336a337
> /etc/pki/tls/rootcerts/t-b-u0130tak-uekae-k-k-sertifika.pem
342a344,345
> /etc/pki/tls/rootcerts/t-rktrust-elektronik-sertifika-00.pem
> /etc/pki/tls/rootcerts/t-rktrust-elektronik-sertifika-01.pem
349,351d351
< /etc/pki/tls/rootcerts/t-xc3-x9cb-xc4-xb0tak-uekae-k-xc3.pem
< /etc/pki/tls/rootcerts/t-xc3-x9crktrust-elektronik-sertifika-00.pem
< /etc/pki/tls/rootcerts/t-xc3-x9crktrust-elektronik-sertifika-01.pem

Status: NEW => RESOLVED
Resolution: (none) => FIXED