[Touch-packages] [Bug 1586538] Re: certutils from libnss3-tools - man page contradicts Mozilla's

Seth Arnold Fri, 27 May 2016 17:16:11 -0700

Could you please report this issue to Mozilla? Based on a quick look of
our source code and manpage I think our manpages correctly document the
situation:


lib/certdb/certdb.c

SECStatus
CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
{
    unsigned int i;
    unsigned int *pflags;

    if (!trust) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
    trust->sslFlags = 0;
    trust->emailFlags = 0;
    trust->objectSigningFlags = 0;
    if (!trusts) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }

    pflags = &trust->sslFlags;

    for (i=0; i < PORT_Strlen(trusts); i++) {
        switch (trusts[i]) {
          case 'p':
              *pflags = *pflags | CERTDB_TERMINAL_RECORD;
              break;

          case 'P':
              *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
              break;

lib/certdb/certdb.h

typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated
    ("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD")));


There's a chance that "valid peer" is really being used to mean "not trusted 
for this particular feature" but that feels strange.

Thanks

** Changed in: nss (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1586538

Title:
  certutils from libnss3-tools - man page contradicts Mozilla's

Status in nss package in Ubuntu:
  Incomplete

Bug description:
  Description of certuitls here:
  
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil#Options_and_Arguments

  contradicts the man page here:
  http://manpages.ubuntu.com/manpages/wily/man1/certutil.1.html

  In the former "-t p" is "prohibited (explicitly distrusted)".  In the
  latter, it's "Valid peer".

  I'm listing it as a security vuln, because someone could do mistakenly
  do the wrong thing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1586538/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1586538] Re: certutils from libnss3-tools - man page contradicts Mozilla's

Reply via email to