Ubuntu
update-manager package

update-manager seems to insecurely check if a file is valid

Bug #701378 reported by nodata
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Binary package hint: update-manager-core

I think update-manager has a security problem:

# grep URI /etc/update-manager/meta-release | head -2
URI = http://changelogs.ubuntu.com/meta-release
URI_LTS = http://changelogs.ubuntu.com/meta-release-lts

Changelogs are checked over the url: http://changelogs.ubuntu.com/meta-release where you will find something like this:

Dist: maverick
[..]
UpgradeTool: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz
UpgradeToolSignature: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz.gpg

Presumably, the UpgradeToolSignature is used to verify the UpgradeTool.

So update-manager does two things:
* Gets a signature that verifies a file.
* Get a file.
* Checks the signature verifies the file.

But because this is happening over http without ssl, the signature or the file or both can be replaced.

See original description
Revision history for this message
Kees Cook (kees) wrote :

Since it's the signature (not a key), this is only vulnerable to freeze/rewind attacks. i.e. Only matching file/signature pairs can be replaced on the wire. It's not possible to replace the contents arbitrarily.

description: updated
Changed in update-manager-core (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
visibility: private → public
Walter Garcia-Fontes (walter-garcia)
affects: update-manager-core (Ubuntu) → update-manager (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.