No authentication check if DPkg::Options::", "--force-confold" is set in apt conf
Bug #1466380 reported by
Michael Vogt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unattended-upgrades (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Utopic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Vivid |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Wily |
Fix Released
|
Critical
|
Unassigned |
Bug Description
While doing code inspection I noticed that under certain circumstances unattended-upgrades will not perform a authentication check for the package it downloads. The trust for packages is checked in line 1242 of the code, but that code only gets executed if dpkg_conffile_
Attached is a patch against master with a fix and a test. This needs to be coordinated with debian and added to all our releases. I will prepare debdiffs.
CVE References
information type: | Private Security → Public Security |
tags: | added: patch |
To post a comment you must log in.
This is CVE-2015-1330