Bug 6568 - python-httplib2 should use system-wide cacerts instead of bundled ones
Summary: python-httplib2 should use system-wide cacerts instead of bundled ones
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/503384/
Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK mga1-32...
Keywords: validated_update
Depends on:
Reported: 2012-06-26 00:00 CEST by David Walser
Modified: 2015-01-13 16:13 CET (History)
4 users (show)

See Also:
Source RPM: python-httplib2-0.7.4-1.mga3.src.rpm
Status comment:

httplib2-use-system-certs.patch (1.93 KB, patch)
2012-06-26 00:04 CEST, David Walser
Details | Diff
get.py simple example from http://code.google.com/p/httplib2/wiki/Examples (111 bytes, application/octet-stream)
2012-07-09 18:05 CEST, claire robinson

Description David Walser 2012-06-26 00:00:45 CEST
SuSE has issued an advisory today (June 25):
Comment 1 David Walser 2012-06-26 00:03:09 CEST
This affects Mageia 1 and Mageia 2 as well, but I'm not sure if it's worth issuing an update for.

SuSE corrected this by patching it to look at /etc/ssl/ca-bundle.pem instead of /usr/lib/python2.7/site-packages/httplib2/cacerts.txt.  We don't have /etc/ssl/ca-bundle.pem, but we do have /etc/pki/tls/certs/ca-bundle.crt which looks like it might be in the right format.  I'll attach their patch.

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 2 David Walser 2012-06-26 00:04:04 CEST
Created attachment 2495 [details]

Patch from OpenSuSE: httplib2-use-system-certs.patch
Comment 3 Philippe Makowski 2012-07-05 21:14:50 CEST
Updates are in testing for MGA1 and MGA2
Comment 4 David Walser 2012-07-05 22:36:32 CEST
Thanks Philippe :o)

I'll test this next time I need to upload something to the binrepo, as I did in Bug 5256, if nobody beats me to it.


python-httplib2 ships its own copy of the Mozilla NSS certificates, but
it should use the system-wide ones provided by the rootcerts package
instead.  This has been corrected.


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

David Walser 2012-07-05 22:41:23 CEST

Assignee: bugsquad => qa-bugs

Comment 5 David Walser 2012-07-05 22:42:21 CEST
I don't think uploading to the binrepo uses https, so we should find some way to test that.
Comment 6 claire robinson 2012-07-09 18:05:36 CEST
Created attachment 2538 [details]
get.py simple example from http://code.google.com/p/httplib2/wiki/Examples

I edited the Simple Retrieval example to fetch headers from https://mageia.org and show them.

tested with 'python get.py'

Is this sufficient? 

If so then testing complete mga1 64
Comment 7 claire robinson 2012-07-09 18:07:25 CEST
adding 'print content' also prints the content.
claire robinson 2012-07-09 18:09:27 CEST

Whiteboard: MGA1TOO => MGA1TOO mga1-64-OK

Comment 8 claire robinson 2012-07-11 11:14:16 CEST
testing complete mga2 64

Hardware: i586 => All
Whiteboard: MGA1TOO mga1-64-OK => MGA1TOO mga1-64-OK mga2-64-OK

Comment 9 claire robinson 2012-07-11 14:14:02 CEST
Tested using:

$ strace -o strace.out python get.py
$ grep open strace.out | grep -v "such file" | grep bundle
open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY) = 4
open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY) = 5

Shows it using system certs.
Comment 10 David Walser 2012-07-15 18:46:10 CEST
(In reply to comment #6)
> Created attachment 2538 [details]
> get.py simple example from http://code.google.com/p/httplib2/wiki/Examples
> I edited the Simple Retrieval example to fetch headers from https://mageia.org
> and show them.
> tested with 'python get.py'
> Is this sufficient? 
> If so then testing complete mga1 64

Yes, that looks like a really good test.  I tried it on Mageia 1 i586 and before the update, the certificate verification actually doesn't work at all for me.  I get a "certificate verify failed" error and Python exception.  Installing the update fixes this for me.  Also, before the update, strace shows:

open("/usr/lib/python2.7/site-packages/httplib2/cacerts.txt", O_RDONLY|O_LARGEFILE) = 4

and after installing the update, strace shows:

open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY|O_LARGEFILE) = 5

So this worked out really well :D

Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK => MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK

Comment 11 David Walser 2012-07-15 18:53:05 CEST
Tested successfully on Mageia 2 i586 as well.

Claire, I'll let you do the final validation honors since I haven't done it in so long :o)

Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK => MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK mga2-32-OK

Comment 12 claire robinson 2012-07-16 12:28:27 CEST
Thanks for testing David


SRPMs and advisory in comment 4 for mga1 and 2

Could sysadmin please push from core/updates_testing to core/updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Thomas Backlund 2012-07-21 14:10:30 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Comment 14 Adam Williamson 2015-01-13 01:47:29 CET
hey folks, sorry for the zombie.

Using /etc/ssl/certs/ca-bundle.crt is perhaps not quite the right choice. That's not the canonical location, it's a compat symlink. See rootcerts.spec:


# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
    ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/

the most correct location would, I believe, be /etc/pki/tls/certs/ca-bundle.crt (same as Fedora/RHEL's canonical location). Sharp-eyed readers may note Fedora's patch uses the same slightly not-the-best location, I'll fix that one :P

CC: (none) => adamw

Comment 15 Adam Williamson 2015-01-13 02:17:07 CET
also note that (again for both Mageia and Fedora) the Python 3 code needs patching as well, no-one seems to be doing that.
Comment 16 Adam Williamson 2015-01-13 04:22:01 CET
here's the updated patch I sent to Fedora today:

Comment 17 David Walser 2015-01-13 16:13:10 CET
Thanks Adam!  Nice to see you, and thanks for the heads up.  I've updated our patch in Cauldron.

Note You need to log in before you can comment on or make changes to this bug.