Ubuntu
py-macaroon-bakery package

Unable to save macaroons in MozillaCookieJar() under python3.10

Bug #1970267 reported by Steve Beattie
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
py-macaroon-bakery (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

 * USN publication for the Ubuntu Security Team triggers an exception:

  [ELIDED]
    File "/usr/lib/python3.10/http/cookiejar.py", line 2120, in save
      if cookie.has_nonstandard_attr(HTTPONLY_ATTR):
    File "/usr/lib/python3.10/http/cookiejar.py", line 805, in has_nonstandard_attr
      return name in self._rest
  TypeError: argument of type 'NoneType' is not iterable

 * this should be fixed so that this error is not shown every time a
   USN is published by one of the team members.

 * other users of py-macaroon-bakery may be similarly affected but this
   is a niche use-case (ie. macaroons and storing cookies in a MozillaCookieJar)

[ Test Plan ]

 * The following simple python script triggers this bug:

import tempfile
import os

from http.cookiejar import MozillaCookieJar
from macaroonbakery import httpbakery, _utils

cookiefile = tempfile.NamedTemporaryFile().name
client = httpbakery.Client(cookies=MozillaCookieJar(cookiefile))
client.cookies.set_cookie(_utils.cookie(name="foo",
                                        value="bar",
                                        url="https://ubuntu.com/"))
client.cookies.save()

 * Once fixed no TypeError exception should be seen.

 * Or the following script can be used from the qa-regression-testing
   project: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-py-macaroon-bakery.py

[ Where problems could occur ]

 * For kinetic there is only one reverse dependency of
   python3-macaroonbakery in the archive - python3-libmaas - which itself
   has no reverse dependencies/ As such there is not much chance of
   regression on kinetic as there is no real users of this library in the
   archive itself, however in this case a simple re-upload of the previous
   version would fix any issue.

 * For jammy, python3-macaroonbakery is pulled into the default desktop
   via gnome-online-accounts to enable the integration with Ubuntu One.
   This was historically used for integration with Livepatch but that has
   now been superceded by the Ubuntu Pro client and hence this is not
   actually used by services on jammy anymore
     - https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/161#note_1540077

   As such there is no real chance of regression here either.

[ Other Info ]

  * Upstream bug report: https://github.com/go-macaroon-bakery/py-macaroon-bakery/issues/88

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in py-macaroon-bakery (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package py-macaroon-bakery - 1.3.1-3ubuntu1

---------------
py-macaroon-bakery (1.3.1-3ubuntu1) lunar; urgency=medium

  * Fix saving macaroons to MozillaCookieJar() under python-3.10 (LP: #1970267)

 -- Alex Murray <email address hidden> Fri, 04 Nov 2022 11:03:27 +0100

Changed in py-macaroon-bakery (Ubuntu):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in py-macaroon-bakery (Ubuntu Jammy):
status: New → Confirmed
Changed in py-macaroon-bakery (Ubuntu Kinetic):
status: New → Confirmed
Revision history for this message
Alex Murray (alexmurray) wrote :

I added a simple test script for this to QRT - https://git.launchpad.net/qa-regression-testing/commit/?id=c3a8b84664b4e90adf88064c90903c8520af7945 ie, it is enough to just do something like the following:

import tempfile
import os

from http.cookiejar import MozillaCookieJar
from macaroonbakery import httpbakery, _utils

cookiefile = tempfile.NamedTemporaryFile().name
client = httpbakery.Client(cookies=MozillaCookieJar(cookiefile))
client.cookies.set_cookie(_utils.cookie(name="foo",
                                        value="bar",
                                        url="https://ubuntu.com/"))
client.cookies.save()
os.unlink(cookiefile)

Alex Murray (alexmurray)
description: updated
Changed in py-macaroon-bakery (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in py-macaroon-bakery (Ubuntu Kinetic):
status: Confirmed → In Progress
Revision history for this message
Alex Murray (alexmurray) wrote :

I have uploaded SRU fixes for this issue to jammy and kinetic and they are currently sitting in the unapproved queues, waiting on ~ubuntu-sru:

https://launchpad.net/ubuntu/kinetic/+queue?queue_state=1&queue_text=py-macaroon-bakery
https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=py-macaroon-bakery

Alex Murray (alexmurray)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted py-macaroon-bakery into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/py-macaroon-bakery/1.3.1-3ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in py-macaroon-bakery (Ubuntu Kinetic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Changed in py-macaroon-bakery (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Steve, or anyone else affected,

Accepted py-macaroon-bakery into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/py-macaroon-bakery/1.3.1-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Alex Murray (alexmurray) wrote :

I verified these SRUs within a LXD container as follows (replacing jammy with kinetic to verify it as well):

lxc launch ubuntu:jammy jammy
lxc shell jammy

# within the jammy environment
# reproduce the vulnerability
apt update
apt install python3-macaroonbakery

# use the poc from comment 3 above
vi poc.py

python3 poc.py

# observe traceback from NoneType exception

# now upgrade to the version in -proposed as per https://wiki.ubuntu.com/Testing/EnableProposed

cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

cat <<EOF >/etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

apt update

apt install python3-macaroonbakery/$(lsb_release -cs)-proposed

python3 poc.py

# no exception/traceback! hooray!

tags: added: verification-done verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-jammy verification-needed-kinetic
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for py-macaroon-bakery has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package py-macaroon-bakery - 1.3.1-3ubuntu0.1

---------------
py-macaroon-bakery (1.3.1-3ubuntu0.1) kinetic; urgency=medium

  * d/p/0001-gh88-fix-saving-macaroons-in-mozillacookie-jar.patch: Fix
    saving cookies to MozillaCookieJar() under python-3.10
    (LP: #1970267)

 -- Alex Murray <email address hidden> Thu, 16 Feb 2023 16:10:18 +1030

Changed in py-macaroon-bakery (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package py-macaroon-bakery - 1.3.1-2ubuntu0.1

---------------
py-macaroon-bakery (1.3.1-2ubuntu0.1) jammy; urgency=medium

  * d/p/0001-gh88-fix-saving-macaroons-in-mozillacookie-jar.patch: Fix
    saving cookies to MozillaCookieJar() under python-3.10
    (LP: #1970267)

 -- Alex Murray <email address hidden> Thu, 16 Feb 2023 16:12:07 +1030

Changed in py-macaroon-bakery (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.