Debian Bug report logs - #1009367
Evolution ignoring system certificate store

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stephan Verbücheln <verbuecheln@posteo.de>

To: submit@bugs.debian.org

Subject: Evolution ignoring system certificate store

Date: Tue, 12 Apr 2022 13:12:32 +0000

Package: evolution
Version: 3.44.0-2

Evolution is ignoring the system certificate store. As a result, it is
impossible to validate signed emails (S/MIME). In addition, Encryption
also does not work properly because many certificates are not trusted.

It appears to only affect S/MIME. In my tests, TLS protection of server
connections was still working.

I have reproduced this bug on several machines with Debian Sid, with
various Linux users and with various e-mail accounts. The bug is also
occuring for newly created users.

How to reproduce:
1. Create a new Linux user and log in
2. Launch Evolution
3. Navigate to Edit/Preferences/Certificates
4. Open the “Authorities” tab and note that there are no certificates

The bug does not occur in Debian Bullseye with Evolution 3.38. The bug
does not occur in Ubuntu 20.04 beta with Evolution 3.44 either.
It is possible that this bug is caused by libnss and the ~/.pki
configuration rather than Evolution.

Message #10 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: erlenmayr@gmail.com

To: 1009367@bugs.debian.org

Subject: Additional info

Date: Thu, 14 Apr 2022 12:39:50 +0200

After some additional tests, there is some more information.

Test I have run:

1. Installed fresh Debian Bullseye. It has Evolution 3.38.3-1 and
libnss3 3.61-1+deb11u2.

2. Created a new user.

3. Added a GMail account. The inbox contains a signed email. The
certificate was issued by a known CA. Note that no CA was manually
added to the system store (/usr/share/ca-certificates) or Evolution.
-> Preferences/Certificates/Authorities are populated with a long list
of CAs.
-> The signed mail is trusted.

4. Installed Evolution 3.44.0-1 from bookworm.
-> Preferences/Certificates/Authorities are still populated.
-> The signed mail is still trusted.

5. Installed libnss 3.77-1 from bookworm.
-> Preferences/Certificates/Authorities no longer populated. It only
displays a handful authorities that it extracted from e-mails, but not
the full system store.
-> The signed mail is no longer trusted.



Ubuntu 22.04 (beta) has no problems. It uses libnss3 version 3.68.2-
0ubuntu1.

Regards

Message #15 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Stephan Verbücheln <verbuecheln@posteo.de>

To: 1009367@bugs.debian.org

Subject: libnss3 file location changes

Date: Tue, 19 Apr 2022 10:05:14 +0000

Further analysis shows that it is related to changed file locations
between the libnss3 versions. Some files were moved out of the nss
directory.

Files in stable (libnss3 2:3.61-1+deb11u2):
/usr/lib/x86_64-linux-gnu/libnss3.so
/usr/lib/x86_64-linux-gnu/libnssutil3.so
/usr/lib/x86_64-linux-gnu/libsmime3.so
/usr/lib/x86_64-linux-gnu/libssl3.so
/usr/lib/x86_64-linux-gnu/nss/libfreebl3.chk
/usr/lib/x86_64-linux-gnu/nss/libfreebl3.so
/usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.chk
/usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.so
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.chk
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.chk
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
/usr/share/doc/libnss3/changelog.Debian.gz
/usr/share/doc/libnss3/copyright
/usr/share/lintian/overrides/libnss3

Files in unstable (libnss3 2:3.77-1):
/usr/lib/x86_64-linux-gnu/libfreebl3.chk
/usr/lib/x86_64-linux-gnu/libfreebl3.so
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.chk
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
/usr/lib/x86_64-linux-gnu/libnss3.so
/usr/lib/x86_64-linux-gnu/libnssckbi.so
/usr/lib/x86_64-linux-gnu/libnssdbm3.chk
/usr/lib/x86_64-linux-gnu/libnssdbm3.so
/usr/lib/x86_64-linux-gnu/libnssutil3.so
/usr/lib/x86_64-linux-gnu/libsmime3.so
/usr/lib/x86_64-linux-gnu/libsoftokn3.chk
/usr/lib/x86_64-linux-gnu/libsoftokn3.so
/usr/lib/x86_64-linux-gnu/libssl3.so
/usr/share/doc/libnss3/changelog.Debian.gz
/usr/share/doc/libnss3/copyright
/usr/share/lintian/overrides/libnss3

QUICK FIX
Manually creating a nss directory with symlinks to the shared objects
appears to fix the problem. However, that is not a good solution as it
could have undesired side effects.

I am not sure whether it is the job for libnss3 or evolution
maintainers to fix this.

Regards

Message #20 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jeremy.bicha@canonical.com>

To: Stephan Verbücheln <verbuecheln@posteo.de>, 1009367@bugs.debian.org, nss@packages.debian.org

Subject: Re: Bug#1009367: libnss3 file location changes

Date: Tue, 19 Apr 2022 13:48:10 -0400

Control: affects -1 src:nss

On Tue, Apr 19, 2022 at 6:09 AM Stephan Verbücheln
<verbuecheln@posteo.de> wrote:
> Further analysis shows that it is related to changed file locations
> between the libnss3 versions. Some files were moved out of the nss
> directory.

Would rebuilding evolution fix this issue?

There will be a new evolution release on Friday anyway.

If it does fix the issue, then maybe we would need to rebuild some or
all of the nss reverse dependencies.

Thank you,
Jeremy Bicha

Message #27 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Stephan Verbücheln <verbuecheln@posteo.de>

To: 1009367@bugs.debian.org

Subject: Re: Bug#1009367: libnss3 file location changes

Date: Tue, 19 Apr 2022 18:13:48 +0000

Another hint:

There are hardcoded paths in the following file:
~/.pki/nssdb/pkcs11.txt

e.g.:
> library=/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

To me it is not clear who creates that file, nss or evolution.

Regards

Message #32 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Stephan Verbücheln <verbuecheln@posteo.de>

To: 1009367@bugs.debian.org

Subject: Re: Bug#1009367: libnss3 file location changes

Date: Sat, 23 Apr 2022 10:44:34 +0000

This patch is probably also related:
https://sources.debian.org/patches/evolution/3.44.1-1/02_nss_paths.patch/

Regards

Message #37 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jeremy.bicha@canonical.com>

To: Stephan Verbücheln <verbuecheln@posteo.de>, 1009367@bugs.debian.org

Subject: Re: Bug#1009367: libnss3 file location changes

Date: Sat, 23 Apr 2022 07:59:13 -0400

On Sat, Apr 23, 2022 at 6:48 AM Stephan Verbücheln
<verbuecheln@posteo.de> wrote:
> This patch is probably also related:
> https://sources.debian.org/patches/evolution/3.44.1-1/02_nss_paths.patch/

I guess I'll just drop that patch then.

Thank you,
Jeremy Bicha

Message #42 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jeremy.bicha@canonical.com>

To: Stephan Verbücheln <verbuecheln@posteo.de>, 1009367@bugs.debian.org

Subject: Re: Bug#1009367: libnss3 file location changes

Date: Sat, 23 Apr 2022 08:13:33 -0400

On Tue, Apr 19, 2022 at 2:15 PM Stephan Verbücheln
<verbuecheln@posteo.de> wrote:
>
> Another hint:
>
> There are hardcoded paths in the following file:
> ~/.pki/nssdb/pkcs11.txt
>
> e.g.:
> > library=/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>
> To me it is not clear who creates that file, nss or evolution.

I believe libnss3 creates that file and needs to be able to handle it.
libnss3 might need to add a symlink directory to handle the old name.

I'm uploading a new evolution version and closing this bug. Backup
that file. If you still have the bug with evolution 3.44.1-2 with that
file (but not with that file moved or removed), I recommend filing a
serious bug against libnss3.

Note this from the debian/changelog for libsnss3 2:3.72-1
  * debian/libnss3.lintian-overrides.in, debian/rules,
    nss/cmd/shlibsign/shlibsign.c, nss/lib/pk11wrap/pk11load.c,
    nss/lib/util/secload.c, nss/cmd/shlibsign/Makefile,
    nss/cmd/shlibsign/manifest.mn: Stop putting freebl, softokn, etc. in a
    subdirectory. It's a deviation from upstream that is causing more problems
    than it's worth keeping. Closes: #737855, #846012, #979159.

Thanks,
Jeremy Bicha

Message #47 received at 1009367-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1009367-close@bugs.debian.org

Subject: Bug#1009367: fixed in evolution 3.44.1-2

Date: Sat, 23 Apr 2022 12:34:10 +0000

Source: evolution
Source-Version: 3.44.1-2
Done: Jeremy Bicha <jbicha@ubuntu.com>

We believe that the bug you reported is fixed in the latest version of
evolution, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1009367@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bicha <jbicha@ubuntu.com> (supplier of updated evolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Apr 2022 08:13:10 -0400
Source: evolution
Built-For-Profiles: noudeb
Architecture: source
Version: 3.44.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bicha <jbicha@ubuntu.com>
Closes: 1009367
Changes:
 evolution (3.44.1-2) unstable; urgency=medium
 .
   * Drop 02_nss_paths.patch: no longer required (Closes: #1009367)
   * debian/control.in: Bump Build-Depends on libnss3-dev to >= 2:3.72-1~
Checksums-Sha1:
 522dca1a2c48c27d721045a866b37965da7893b8 3969 evolution_3.44.1-2.dsc
 b8d63af8264e3952253021ab64531cd4142869fc 37920 evolution_3.44.1-2.debian.tar.xz
 8bb09c201db028e9d5870b5851c4bd77b5b2bef6 10526 evolution_3.44.1-2_source.buildinfo
Checksums-Sha256:
 c59f7d5e814b79f651e7712e2b161a987f0dfa81c81ecd3fa65decdd35dbd932 3969 evolution_3.44.1-2.dsc
 76ce0b323beaccadfa59158d883fa142a5f12e8855a61f6966d8bd13932313b8 37920 evolution_3.44.1-2.debian.tar.xz
 8d72df890c989295767579f592b30df111f4ecf3f07b85c4768033e4168eac7c 10526 evolution_3.44.1-2_source.buildinfo
Files:
 be78269f77e01d0f938ee4c7d6dd4988 3969 gnome optional evolution_3.44.1-2.dsc
 d1920e3f6bd0a9e0393d71d779c7f5f5 37920 gnome optional evolution_3.44.1-2.debian.tar.xz
 0a90412159b57f63191f7da792d35db3 10526 gnome optional evolution_3.44.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmJj7csACgkQ5mx3Wuv+
bH3YuhAAsTi6W/bfIXdrYYznQ4e3yld9o2bK7FDXCQcvlU2VLBnaCXc6YToH/hQ6
dcXxD6seCXOjbBORwNYyU2MRfsKovdH8OAmhcQfnD2uUBd0Q1W8xRBvX7Bf6SjbP
N1231t+vYBOYGQKFapcwB7723C0Ej7AyjTH555GHRnprd6txC/Wfno5ZIphKOfMr
XSvR6MTnlvP4VNSPvJQAQzAHjXHvHEBKOIBC11VoxHSTi0yTbQI6mQxbOzwJ4sh9
i2yLh8ggocDDshMVAPEAL/4Olnv11rgHy76gtJim1EvnlKA7Gl2U9+yEZUtWnyIM
CeR99zaL8q0ZbqQF1kQe0MYYxzRSofx3vp1Vg2mX7ma7Z2O4jsxFIgckrl+lfGAV
fkBG5x9CH8tnP+86LBeW0LAL/7S0YT2pC7ogk1W1Oids3amCZkbkK1ttb3rl4vOr
sBI4Wexu4P53e6qLjIL09u1HNA+R+PaTSLRNV6zaml6x2tDmg5fn4baPS98U7ae9
cZXlVlNf4+aGY5c25T5GNhqAgQz4HZn9zYOPSbZFquTqPpiCR4xfP5sqPyjxhViQ
ebA82xm9rmCpPthaha1Bpx5EOy4rdgkMOYKC2LpblP9VrmXj4QiYqdPjlW/bX2Hg
vn8eqRFrJoNqREBBOuinhYP4eshsYYbSZjfggaFcqXB7TVB3v+w=
=F5OS
-----END PGP SIGNATURE-----

Message #52 received at 1009367@bugs.debian.org (full text, mbox, reply):

From: Stephan Verbücheln <verbuecheln@posteo.de>

To: 1009367@bugs.debian.org

Subject: Confirm fix

Date: Sun, 24 Apr 2022 18:42:33 +0000

The last update fixed the bug for my existing users. I can also confirm
that the bug is fixed for newly created users.

Regards

Send a report that this bug log contains spam.