[Box Backup] Bug#601882: boxbackup-server's bbstored-certs creates certs that expire in the past

Reinhard Tartler siretart at tauware.de
Sun Jan 9 15:31:11 GMT 2011


Hi all,

On Sat, Jan 08, 2011 at 21:53:07 (CET), Chris Wilson wrote:

> Reinhard, I'm going to add this fix to 0.11 to make 0.11.1, would you
> like to update the Debian packages when it becomes available shortly?

Thanks for the offer, but I don't think a new upstream release will be
necessary. Btw, AFAIUI 0.11 still isn't released, I see 'just' a 0.11rc8
package on http://boxbackup.org? So what would a potential 0.11.1
package contain then? Anyway, Debian 'lenny' (stable) ships with an
0.11rc2 package. Debian 'squeeze' will ship 0.11rc2 as well (rc8 missed
the freeze), but has the proposed change already included.

I'm going to include the fix in the package directly. The whole issue is
tracked at http://bugs.debian.org/601506, and the Stable Release Manager
(SRM, i.e., Adam) asked me to present a debdiff showing the changes for
the update I'm proposing for debian *stable*. I'm doing this with this
email, see below.

> On Sat, 2011-01-08 at 13:55 +0100, Reinhard Tartler wrote:
>> The fix for #601506 has been done with the -7 upload, but the change -6
>> would qualify for lenny IMO as well. SRM, would you be happy to include
>> the changes from -6 and -7 in the next lenny point release? If yes,
>> please advice what changes to include and what version number to use for
>> an upload to stable-proposed-updates.

On Sat, Jan 08, 2011 at 18:43:20 (CET), Adam D. Barratt wrote:
> fwiw, most of the changes in -6 don't actually appear to be needed; the
> problem only arises when the tests of the form "[ -z $VAR1 -o -z
> $VAR2 ]" are used (and specifically only when $VAR1 is empty, as -z ends
> up being applied to "-o").
>
> Other than that, applying -6 and -7 to lenny would be okay. Please use
> 0.11~rc2-5+lenny1 as the version number and send a debdiff to -release
> for final pre-upload confirmation.

I've taken these changes in anyways because I do know that they work in
that way in squeeze. Here we go:

--- boxbackup-0.11~rc2/debian/boxbackup-server.postinst
+++ boxbackup-0.11~rc2/debian/boxbackup-server.postinst
@@ -71,7 +71,7 @@
 	    DIR3=`echo "$RET" | awk '{ print $3 }'`
 
 	    if [ -n $DIR1 ]; then
-		if [ -z $DIR2 -o -z $DIR3 ]; then
+		if [ -z "$DIR2" -o -z "$DIR3" ]; then
 		    DIR2=$DIR1
 		    DIR3=$DIR1
 		fi
diff -u boxbackup-0.11~rc2/debian/boxbackup-client.postinst boxbackup-0.11~rc2/debian/boxbackup-client.postinst
--- boxbackup-0.11~rc2/debian/boxbackup-client.postinst
+++ boxbackup-0.11~rc2/debian/boxbackup-client.postinst
@@ -74,15 +74,15 @@
 	    if [ "$RET" = "lazy" ]; then
 		db_get boxbackup-client/UpdateStoreInterval
 		UPDATE=$RET
-		[ -z $UPDATE ] && UPDATE="3600"
+		[ -z "$UPDATE" ] && UPDATE="3600"
 
 		db_get boxbackup-client/MinimumFileAge
 		FILEAGE=$RET
-		[ -z $FILEAGE ] && FILEAGE="21600"
+		[ -z "$FILEAGE" ] && FILEAGE="21600"
 
 		db_get boxbackup-client/MaxUploadWait
 		UPWAIT=$RET
-		[ -z $UPWAIT ] && UPWAIT="86400"
+		[ -z "$UPWAIT" ] && UPWAIT="86400"
 
 		AUTO=yes
 	    else
@@ -219,7 +219,7 @@
 	    chmod 600 $BBKEY || true
 
 	    # SSL stuff
-	    if [ ! -z $ACCOUNT ]; then
+	    if [ ! -z "$ACCOUNT" ]; then
 		if [ ! -e $BBPRIVKEY -a ! -e $BBCERT ]; then
 		    db_get boxbackup-client/generateCertificate
 
diff -u boxbackup-0.11~rc2/debian/boxbackup-server.config boxbackup-0.11~rc2/debian/boxbackup-server.config
--- boxbackup-0.11~rc2/debian/boxbackup-server.config
+++ boxbackup-0.11~rc2/debian/boxbackup-server.config
@@ -33,7 +33,7 @@
     DIR3=`echo "$RET" | awk '{ print $3 }'`
 
     if [ -n $DIR1 ]; then
-	if [ -z $DIR2 -o -z $DIR3 ]; then
+	if [ -z "$DIR2" -o -z "$DIR3" ]; then
 	    DIR2=$DIR1
 	    DIR3=$DIR1
 	fi
diff -u boxbackup-0.11~rc2/debian/changelog boxbackup-0.11~rc2/debian/changelog
--- boxbackup-0.11~rc2/debian/changelog
+++ boxbackup-0.11~rc2/debian/changelog
@@ -1,3 +1,13 @@
+boxbackup (0.11~rc2-5+lenny1) stable-proposed-updates; urgency=low
+
+  * bin/bbstored/bbstored-certs: reduce root CA expiration date to avoid
+    Y2k38 overflow. Thanks to Clint Adams <schizo at debian.org> for
+    reporting it. Closes: #601506
+  * Fix shell scripting in the debconf interaction code of the package's
+    postinst script. This should prevent problems like LP: #222999
+  
+ -- Reinhard Tartler <siretart at tauware.de>  Sun, 09 Jan 2011 16:07:46 +0100
+
 boxbackup (0.11~rc2-5) unstable; urgency=low
 
   * Bugfix: "Please build-depend on docbook-xml". Thanks to Luca Falavigna
only in patch2:
unchanged:
--- boxbackup-0.11~rc2.orig/bin/bbstored/bbstored-certs.in
+++ boxbackup-0.11~rc2/bin/bbstored/bbstored-certs.in
@@ -2,10 +2,10 @@
 use strict;
 
 # validity period for root certificates -- default is a very long time
-my $root_sign_period = '10000';
+my $root_sign_period = '5000';
 
 # but less so for client certificates
-my $sign_period = '5000';
+my $sign_period = '3000';
 
 # check and get command line parameters
 if($#ARGV < 1)

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4



More information about the Boxbackup mailing list