102631 - built-in objects dll picked up by a profile must be that of the latest installed version of the software.

Status: VERIFIED DUPLICATE of bug 147280

(Core Graveyard :: Security: UI, defect, P1)

Description

[Stephane Saux]

Currently, the secmod db stores the full path of the nssckbi.dll which store
built-in root CA certs.

Secmod.db is in the profile, and the value stored in it for nssckbi.dll reflects
the install location of the client version that created it (for 6.1 and higher).

If someone which thus created a secmod.db with 6.1, installs 6.2 in a different
directory than 6.1 (i.e., the new installation's nssckbi.dll doesn't replace the
old nssckbi.dll), and uses this profile, then 6.2 will use the 6.1 version of
nssckbi.dll

The solution is to make sure that entries in secmod.db for nssckbi.dll are
versioned.  The result will be that the software will check that the nssckbi.dll
is the most recent available:

The requirement will be:
The dll in secmod.db exists.
its version in secmod.db must equal or higher than the currently executing
version of the client ships with.

If these requirements are not met, the secmod.db will be updated to reflect the
version the currently executing client has.

This will allows the root ca list to be has complete as possible.

This may requires some NSS work as well for the secmod entry versioning.

Comment 1

[Stephane Saux]

*** Bug 104965 has been marked as a duplicate of this bug. ***

Comment 2

[Kai Engert (:KaiE:)]

I believe this is a duplicate of NSS bug 147280.

Because this one is PSM and the other is NSS, I'm not marking this one as a
duplicate, but rather add a dependency.
We should decide whether we are fine, once bug 147280 gets resolved.

Comment 3

[Kai Engert (:KaiE:)]

*** This bug has been marked as a duplicate of 147280 ***

Comment 4

[John Unruh]

Verified dupe.