package upgrade should replace /etc/ssl/certs/ca-certificates.crt atomically

Bug #1914839 reported by ysth
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Fix Released
High
Unassigned

Bug Description

While upgrading the ca-certificates package, a process got the error:

SSL_ca_file /etc/ssl/certs/ca-certificates.crt does not exist

This file should be replaced atomically, with no time gap where the file does not exist.

(I am flagging this as a security vulnerability because, while I did not experience any security issue, I can imagine at least the possibility of this being exploitable in some way in some circumstances.)

information type: Private Security → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Ah yes, /usr/sbin/update-ca-certificates is deleting the ca-certificates.crt shortly before atomically moving the new version into place.

It looks like a fic was committed in debian for this a couple of weeks ago:

 https://salsa.debian.org/debian/ca-certificates/-/commit/8f8f4a525bd6a6c8a8d13530cda194d60275313d

but has not landed there.

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Changed in ca-certificates (Debian):
status: Unknown → New
Changed in ca-certificates (Debian):
status: New → Fix Committed
Changed in ca-certificates (Debian):
status: Fix Committed → Fix Released
Changed in ca-certificates (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
Simon Déziel (sdeziel) wrote :

This was fixed in ca-certificates version 20211016 which is what Jammy released with. As of today, all Ubuntu releases from Bionic onward ship 20230311 so marking as fix released.

Changed in ca-certificates (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.