update-manager corrupts package information behind paywall

Bug #1030027 reported by Dan Wiebe
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
New
Undecided
Unassigned

Bug Description

Error message from update-manager:

E:Encountered a section with no Package: header, E:Problem with MergeList /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-updates_multiverse_binary-i386_Packages, E:The package lists or status file could not be parsed or opened.

Background: I ran update-manager while connected to a hotel network that redirects any HTTP access to a "pay us for Internet access" page until you've agreed to pay. At the time I ran update-manager, I had not yet agreed to pay.

Now 61 of the 154 files in my /var/lib/apt/lists directory consist of the HTML of the "pay us for Internet access" page.

lsb_release -rd:
Description: Ubuntu 12.04 LTS
Release: 12.04

apt-cache policy update-manager:
E: Encountered a section with no Package: header
E: Problem with MergeList /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-updates_multiverse_binary-i386_Packages
E: The package lists or status file could not be parsed or opened.
[probably the files the information was in are corrupted]

Tags: bot-comment
Revision history for this message
Tyler Hicks (tyhicks) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
visibility: private → public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Reviewing your bug report it seems that you are experiencing bug 346386. This issue happens when you have tried to update your package information when you are a network that didn't return the right files. This issue can be cleaned up by using the following commands in a terminal:

1.) sudo rm /var/lib/apt/lists/*
2.) sudo apt-get update

Thanks and good luck!

[This is an automated message. I apologize if it reached you inappropriately; please reopen the bug task if it was incorrect.]

tags: added: bot-comment
Revision history for this message
Dan Wiebe (dnwiebe) wrote : Re: [Bug 1030027] Re: update-manager corrupts package information behind paywall

That's cool. I don't know enough about how update-manager works to be
sure, but it seemed to me that if the wrong person could get an update
request redirected to his own site, the way the hotel redirected mine to
theirs, he could supply hacked "updates" of stuff that runs as root, and
thus take over your system. So I flagged it just in case.

If that's not an issue, great.

On 07/27/2012 04:09 PM, Tyler Hicks wrote:
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. We appreciate the difficulties you are facing, but this appears
> to be a "regular" (non-security) bug. I have unmarked it as a security
> issue since this bug does not show evidence of allowing attackers to
> cross privilege boundaries nor directly cause loss of data/privacy.
> Please feel free to report any other bugs you may find.
>
> ** Visibility changed to: Public
>
> ** This bug is no longer flagged as a security vulnerability
>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.