Ubuntu
packagekit package

Security issue in PackageKit

Bug #1007791 reported by Matthias Klumpp
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
packagekit (Debian)
Fix Released
Unknown
packagekit (Ubuntu)
Fix Released
Low
Unassigned
Lucid
Won't Fix
Medium
Unassigned
Natty
Won't Fix
Low
Unassigned
Oneiric
Won't Fix
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Quantal
Fix Released
Low
Unassigned

Bug Description

Hi!
The Aptcc backend in PackageKit saves the changelog to a predictable location in /tmp. As packagekitd is running as root, bad people could just add a symlink named like the file in /tmp (e.g. to /etc/shadow) to screw up the system.
I fixed this in Debian already, you might want to take the patch (02_aptcc-changelog-random-dir.patch) from there and apply it to Precise, if possible.
For Quantal, please merge/sync packagekit 0.7.4-4 from Debian Sid, which contains the patch and some other improvements.
Cheers,
   Matthias

UPDATE: The same also applies for our Debconf handling. While the changelog-issue is fixed, this issue is still valid for debconf sockets.
I therefore reopened this bug on Quantal and linked the Debian issue, which will be fixed soon.

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your report!

Ubuntu has symlink restrictions enabled via Yama which should mitigate this problem on Ubuntu 11.04 and later (but we should still fix it). I see Quantal already has 0.7.4-4ubuntu2. Did Debian assign a CVE for it?

Changed in packagekit (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Changed in packagekit (Ubuntu Natty):
status: New → Triaged
importance: Undecided → Low
Changed in packagekit (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Low
Changed in packagekit (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Low
Changed in packagekit (Ubuntu Quantal):
importance: High → Low
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Since this is already public via the Debian upload, marking this public.

visibility: private → public
Revision history for this message
Matthias Klumpp (ximion) wrote :

No, there is no CVE yet - I don't know how to create one :P
This issue is unfortunately also present in our implementation of Debconf and will also need to be fixed there. (work is in progress)
Thanks!

Matthias Klumpp (ximion)
description: updated
Changed in packagekit (Ubuntu Quantal):
status: Fix Released → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in packagekit (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in packagekit (Debian):
status: New → Fix Released
Revision history for this message
Matthias Klumpp (ximion) wrote :

Depends on someone fixing bug #1040086 (Sync packagekit from Debian) now.

Matthias Klumpp (ximion)
Changed in packagekit (Ubuntu Quantal):
status: Triaged → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in packagekit (Ubuntu Natty):
status: Triaged → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in packagekit (Ubuntu Oneiric):
status: Triaged → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in packagekit (Ubuntu Lucid):
status: Triaged → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in packagekit (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.