Ubuntu
git-annex package

git-annex fails to encrypt AWS credentials

Bug #1406678 reported by Dave Pifke
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
git-annex (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

This is the upstream bug described here:

http://git-annex.branchable.com/devblog/day_221__another_fine_day_of_bugfixing/

The fix should be backported (or the package should be upgraded), as this is a security issue in an LTS release. The fix is also missing from the version which ships with utopic. I was unable to install the version shipping with vivid due to gnutls dependency issues.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: git-annex 5.20140412ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Tue Dec 30 17:23:20 2014
InstallationDate: Installed on 2013-08-17 (500 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
SourcePackage: git-annex
UpgradeStatus: Upgraded to trusty on 2014-04-21 (253 days ago)

Revision history for this message
Dave Pifke (dpifke) wrote :
Revision history for this message
Dave Pifke (dpifke) wrote :

These two commits appear to contain the fix:

http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=2f3c3aa01ff0eb1dfdf1e30ff29fef40ed8fd167
http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=0ed33c8b742bd94b2afefd284943e9efe8502d2c

(I have not yet tried applying them.)

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in git-annex (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Dave Pifke (dpifke) wrote :

I finally had a chance to look at this again today. I attempted to merge the relevant bits from upstream, see:

https://github.com/dpifke/git-annex/commits/master

Attached is a patch containing the results of this effort.

Unfortunately, this doesn't fix the problem: running `git annex enableremote` enables the remote and writes the plaintext credentials to .git/annex/creds/<uuid>, without generating an error message.

I've never written a line of Haskell before in my life, so it's not immediately clear to me why merging these fixes didn't work. I'm going to email the author (joeyh) in the hopes he can point me in the right direction.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "git-annex.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for git-annex (Ubuntu) because there has been no activity for 60 days.]

Changed in git-annex (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.