Ubuntu
software-properties package

Synaptic messes sources.list and sources.list.d

Bug #879943 reported by Sergio Callegari
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Consider the following situation

1) I carefully edit by hand the /etc/sources.list file or the files in /etc/sources.list.d files
(this is something I do to have them aligned between different machines. In fact it is not a real edit, but a copy from another machine)

2) Try the lists with apt-get update. Everything is fine.

3) Start synaptic. Go to the settings window to edit the repos. Go to the other software tab.

4) Do any possible little action. For instance activate and disactivate the source repo for ubuntu partners. Assure that your action has nothing to do with the changes you made in 1)

5) See how synaptic has horribly restored the repo list as it was before your hand edit.

6) Exit synaptic and go to the /etc/apt dir. Verify how everything has gone back exactly as it was before your hand edit. Repos that you erased are there again. Repos you edited have their changes reverted.

IMHO this is not just wrong, but also very dangerous.
Suppose that I had added a repo from a third party source.
Suppose that I then find out that this repo is dangerous. For instance because it replaces some package with a bugged package or a package with a back door.
Suppose that I consciously restore the package to the original version and I hand erase the crappled repo from my list of repos by removing the corresponding file from the /etc/apt/sources.list.d dir
Now I feel safe. However, any time I use synaptic I risk having that repo back.

To me this is a security vulnerability. Anyone can convince me to add a test repo to see what is in it. At the time I test that repo can be perfectly fine. I test, I remove the repo, I feel safe, the repo gets automatically added back by synaptic, the repo owner adds in a package that looks like an update to a package that I have in my system and without even realizing it I can have my system infected by a malicious package.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: synaptic 0.75.2ubuntu8
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Sat Oct 22 16:45:31 2011
InstallationMedia: Kubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
SourcePackage: synaptic
UpgradeStatus: Upgraded to oneiric on 2011-10-16 (6 days ago)

Related branches

lp:~sam-sgrs/software-properties/software-properties-fix-879943
Mathieu Trudel-Lapierre: Approve
Diff: 29 lines (+9/-0)
2 files modified
softwareproperties/dbus/SoftwarePropertiesDBus.py (+6/-0)
softwareproperties/gtk/SoftwarePropertiesGtk.py (+3/-0)
lp:software-properties
No reviews requested
Revision history for this message
Sergio Callegari (callegar) wrote :
Robert Roth (evfool)
affects: synaptic (Ubuntu) → software-properties (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in software-properties (Ubuntu):
status: New → Confirmed
Revision history for this message
Sam Segers (sam-sgrs) wrote :

software-properties-gtk launches a dbus service /usr/lib/software-properties/software-properties-dbus
This service loads the sources in memory and edits them from there and saves them on a change.
The service keeps running after closing the software properties.
If you change things in /etc/apt/source.list or /etc/apt/source.list.d, these get overwritten by the values when first launched software-properties-gtk + the changes you make there.
If you f.i. remove a source from source.list.d, software-properties-gtk indicates this correctly as deleted. But if you edit something, the file magically reappears from the dbus service.

Revision history for this message
Sergio Callegari (callegar) wrote :

Thanks for the information!

I am a bit surprised by this approach, which looks weird to me. It's a service basically deciding it "owns" the content of some files without telling anyone.

In fact, I've always believed that the configuration is in text files and not in some private database format precisely to let it be modified by file editing. Furthermore there are tons of site including distribution official ones that instruct one to actively edit those text files to achieve some goals or to solve some problem and this gets simply broken by the approach taken by the software-properties service.

Shouldn't the service at least place a watch on the files to reread them and update its vision of the configuration when the files are edited?

Incidentally, where can I find info on this service, the interfaces it exposes and how to stop it from running?

Revision history for this message
Sam Segers (sam-sgrs) wrote :

I don't get the approach too. It's nice cause it splits GUI and back-end. The dbus service is in software-properties-common:

$ apt-cache rdepends software-properties-common
+software-properties-common
Reverse Depends:
  ubuntu-desktop-next
  phablet-tools-citrain
  ubuntu-touch
  phablet-tools-citrain
  cloud-init
  ubuntu-touch
  ubuntu-desktop-next
  software-properties-kde
  phablet-tools-citrain
  software-properties-gtk
  cloud-init

It seems not that many packages use the service. (ofc software-properties-kde does)

I also think there should be a watcher or a check. Or at the very least let the GUI represent the same sources as the back-end.

Mathew Hodson (mhodson)
Changed in software-properties (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-properties - 0.96.16

---------------
software-properties (0.96.16) xenial; urgency=medium

  * Reload sources when starting the GTK backend; since changes made by the
    user might otherwise be mangled as the DBus backend keeps running after
    the GUI is terminated. Patch from Sam Segers. (LP: #879943)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 23 Nov 2015 16:17:45 -0500

Changed in software-properties (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.