[Bug 2016439] [NEW] Regression finding system certificates

Sergio Durigan Junior 2016439 at bugs.launchpad.net
Sun Apr 16 23:04:43 UTC 2023 

Public bug reported:

[ Clone of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034359 ]

Between 7.88.1-2 and 7.88.1-5, there was a change to where curl with
nss looks for loadable libraries:

curl (7.88.1-4) unstable; urgency=medium

  * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
    Prepend "/nss/" before the library name.

Before the change to the load path, curl could find
/lib/x86_64-linux-gnu/libnssckbi.so but not
/lib/x86_64-linux-gnu/nss/libnsspem.so, after the change it's the
reverse.

libnssckbi.so is enough to get a trust root (the mozilla certificate
store is compiled inside that library), whereas libnsspem.so
(1.0.8+1-1) isn't.
This makes it impossible to connect to https servers by default for
programs that use curl with NSS.

Here is a way to test the regression:
debbisect -v --cache=./cache \
   --depends=libcurl4-nss-dev,git,pkg-config,libssl-dev,ca-certificates,cargo,nss-plugin-pem,p11-kit-modules,strace
\
  20230306T145638Z 20230306T203828Z \
    'chroot "$1" bash -exuc "
git clone --depth 1 https://github.com/alexcrichton/curl-rust.git
cd curl-rust
time cargo fetch
time cargo build --offline --example https
strace -efile target/debug/examples/https >/dev/null
"'

** Affects: curl (Ubuntu)
     Importance: High
     Assignee: Sergio Durigan Junior (sergiodj)
         Status: Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2016439

Title:
  Regression finding system certificates

Status in curl package in Ubuntu:
  Triaged

Bug description:
  [ Clone of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034359 ]

  Between 7.88.1-2 and 7.88.1-5, there was a change to where curl with
  nss looks for loadable libraries:

  curl (7.88.1-4) unstable; urgency=medium

    * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
      Prepend "/nss/" before the library name.

  Before the change to the load path, curl could find
  /lib/x86_64-linux-gnu/libnssckbi.so but not
  /lib/x86_64-linux-gnu/nss/libnsspem.so, after the change it's the
  reverse.

  libnssckbi.so is enough to get a trust root (the mozilla certificate
  store is compiled inside that library), whereas libnsspem.so
  (1.0.8+1-1) isn't.
  This makes it impossible to connect to https servers by default for
  programs that use curl with NSS.

  Here is a way to test the regression:
  debbisect -v --cache=./cache \
     --depends=libcurl4-nss-dev,git,pkg-config,libssl-dev,ca-certificates,cargo,nss-plugin-pem,p11-kit-modules,strace
  \
    20230306T145638Z 20230306T203828Z \
      'chroot "$1" bash -exuc "
  git clone --depth 1 https://github.com/alexcrichton/curl-rust.git
  cd curl-rust
  time cargo fetch
  time cargo build --offline --example https
  strace -efile target/debug/examples/https >/dev/null
  "'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2016439/+subscriptions

More information about the foundations-bugs mailing list