Launchpad itself

package set based archive permission checks do not check package affiliation and distro series

Bug #479169 reported by Muharem Hrnjadovic on 2009-11-09

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	Muharem Hrnjadovic	Launchpad itself 3.1.11

Bug Description

lp.archiveuploader.permission.verify_upload fails to check

1 - whether the package sets found for the uploader are in the correct distro series
2 - whether the source package to be uploaded is affiliated with any of the package sets found

Tags:

Muharem Hrnjadovic (al-maisan) on 2009-11-09

Changed in soyuz:
status:	New → In Progress
importance:	Undecided → Critical
assignee:	nobody → Muharem Hrnjadovic (al-maisan)
milestone:	none → 3.1.10
milestone:	3.1.10 → 3.1.11

Revision history for this message

Muharem Hrnjadovic (al-maisan) wrote on 2009-11-10:

The attached branch passed all tests in ec2

Revision history for this message

Muharem Hrnjadovic (al-maisan) wrote on 2009-11-10:

After a more detailed analysis it became apparent that the code in question only suffers from the following problem:

lp.archiveuploader.permission.verify_upload fails to check whether the package sets found for the uploader and source package are in the correct distro series

Muharem Hrnjadovic (al-maisan) on 2009-11-12

Changed in soyuz:
status:	In Progress → Fix Released

William Grant (wgrant) on 2012-08-10

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.