Doesn't detect unauthenticated packages if the transaction hasn't been simulated before
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| aptdaemon (Ubuntu) |
Fix Released
|
Critical
|
Michael Vogt | ||
| Natty |
Fix Released
|
Critical
|
Marc Deslauriers | ||
| Oneiric |
Fix Released
|
Critical
|
Marc Deslauriers | ||
| Precise |
Fix Released
|
Critical
|
Michael Vogt | ||
Bug Description
Aptdaemon allows to install unauthenticated packages using software-center or update-manager.
The version of aptdaemon in Natty, Oneiric and Precise are affected. Dear security team, could you please apply the attached securtiy_
The version in Precise will be fixed by a new upstream snapshot release and will also inculde the fixed deffered simulation patch.
Background: Aptdaemon only checks for unauthenticated packages during the simulation of a transaction. Normally aptdaemon should simulate every transaction before it is queued, even if the client hasn't explicitly called the Simulate method of the transaction before (e.g. update-manager and software-center don't simulate the transactions). But there is an error in aptdaemon.
Two steps are required to resolve this issue:
(1) Perform a re-check of unauthenticated packages directly before applying the changes
(2) Fix the automatic simulation of transactions [But this part could be skipped for a security fix release]
Thanks a lot to Michael Vogt for detecing and providing a fix for this issue.
CVE References
| Changed in aptdaemon (Ubuntu): | |
| status: | New → In Progress |
| Changed in aptdaemon (Ubuntu Natty): | |
| status: | New → Confirmed |
| Changed in aptdaemon (Ubuntu Oneiric): | |
| status: | New → Confirmed |
| Changed in aptdaemon (Ubuntu Natty): | |
| importance: | Undecided → Critical |
| Changed in aptdaemon (Ubuntu Oneiric): | |
| importance: | Undecided → Critical |
| Changed in aptdaemon (Ubuntu Natty): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in aptdaemon (Ubuntu Oneiric): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in aptdaemon (Ubuntu Precise): | |
| assignee: | nobody → Michael Vogt (mvo) |
| visibility: | private → public |

Fix simulating before applying