When connected to a network with a catch-all HTTP filter, apt-get update corrupts the package lists

Bug #1001209 reported by Julius Schwartzenberg
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I need to log on through a webpage before I can access the internet on some networks.
Before that all HTTP requests are forwarded to a log-on page.

When apt-get update is being run in the background before this log-on has happened, it will corrupt the package lists with this log-on page. I need to manually remove multiple files in /var/lib/apt/lists/ then before I can rerun apt-get update.

When apt-get update gets invalid data, it should not corrupt its package lists.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apt 0.8.16~exp12ubuntu10
Uname: Linux 3.4.0-rc5-drm-intel-test-20120511 x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Fri May 18 13:33:45 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120204)
ProcEnviron:
 LANGUAGE=nl_NL
 TERM=xterm
 PATH=(custom, user)
 LANG=nl_NL.UTF-8
 SHELL=/bin/bash
SourcePackage: apt
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Julius Schwartzenberg (jschwart) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Revision history for this message
Paul F (boxjunk) wrote :

Still present in 12.04 LTS, Precise running apt 0.8.16

In my case the corrupted package list files in /var/lib/apt/lists are caused by the router redirecting to an internal help page when it realises that its internet connection is down. So, when a fetch is attempted from, say gb.archive.ubuntu.com/ubuntu/dists/precise-updates/universe/binary-i386/Packages when checking for updates what comes back is the html source from the router's help page (example attached -- line 52 contains the requested url).

It would appear that no sanity check is done on the returned data leaving subsequent parse attempts to choke. The corrupted files remain and may propagate (???) causing other update failures.

On a security note, it occurs to me that an attacker in control of the router could return crafted files in place of apt's package lists to introduce malware as part of the normal automated update process. I trust checks are in place to prevent this???

Revision history for this message
Paul F (boxjunk) wrote :
Revision history for this message
Julius Schwartzenberg (jschwart) wrote :

About the security issue, this is solved with the signing of packages. Unless the attacker compromised a key that you added with apt-key (or a default key), nothing will be installed without a warning.

Revision history for this message
Paul F (boxjunk) wrote :

See also Bug #1055614

Revision history for this message
Paul F (boxjunk) wrote :

See also Bug #1001209

Revision history for this message
Paul F (boxjunk) wrote :

#5 gpg to the rescue!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.