Ubuntu
aptitude package

corrupted /var/lib/apt/lists

Bug #781132 reported by gpk
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
aptitude (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: aptitude

I was connected to a hotel WiFi system that requires you to register on a web page to get access. My access had expired, and I ran "aptitude update" and aptitude happily sucked in the hotel's page that explains how to register for access, instead of the desired page describing packages. This page ended up in /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_natty-security_main_i18n_Translation-en and other places.

As a result, you get error messages, but it seems likely this could enable attacks on the system, if the web page were designed to be evil, instead of a WiFi registration page.

Here's a sample error from aptitude search:
E: Encountered a section with no Package: header
E: Problem with MergeList /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_natty-security_main_binary-amd64_Packages
E: The package lists or status file could not be parsed or opened.

I attach one of the corrupted files (...security.ubuntu.com_ubuntu_dists_natty-security_main_binary-amd64_Packages).

$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
gpk@nglap:~/notconnected$

$ apt-cache policy aptitude
E: Encountered a section with no Package: header
E: Problem with MergeList /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_natty-security_main_i18n_Translation-en
E: The package lists or status file could not be parsed or opened.
gpk@nglap:~/notconnected$

The system was up to date as of 7 May 2011.

Revision history for this message
gpk (gpk-kochanski) wrote :
Jamie Strandboge (jdstrand)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Based on the information you have provided, aptitude is correctly erroring out on the 'malformed' files, and should not be executing any code as a result. It is theoretically possible for a malicious server to improper files, but the signatures would not match. It might be possible to replay valid old files to prevent you from updating, but this is rather convoluted, is an old issue and fixed in Ubuntu (bug #247445). Replay attacks against security mirrors are also discussed here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897

Changed in aptitude (Ubuntu):
status: New → Invalid
Revision history for this message
gpk (gpk-kochanski) wrote :

OK, so it's perhaps not a security problem, but it sure is a problem!

From anyone but an expert's point of view, if that happens, your Ubuntu system appears to be broken. One cannot install new software or get updates. Worrying error messages will appear.

Proper system behaviour would be to:
(a) detect malformed files before the old files are trashed.
(b) do not throw away the old files until the new ones are confirmed,
(c) Produce an intelligible error message, something on the order of
       "Your attempt to update Ubuntu failed because the updates are corrupted.
         Please check your network connection, check the server, and try again."

Changed in aptitude (Ubuntu):
status: Invalid → New
Jamie Strandboge (jdstrand)
security vulnerability: yes → no
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.