python implementation of apt-clone should remove usernames and passwords

Bug #1029021 reported by Brian Murray
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt-clone (Ubuntu)
Medium
Unassigned
Precise
High
Brian Murray

Bug Description

As discovered in CVE-2012-0949 and CVE-2012-0950 update-manager was attaching usernames and passwords for apt sources entries in the system state information. update-manager utilizes the python implementation of apt-clone to add information about the system state. The save state function of AptClone should have an option to remove usernames and passwords so that update-manager can include this essential information again.

[Impact]
It can be challenging to debug distribution upgrade bug reports without information regarding apt's state on the system trying to be upgraded. apt-clone can provide useful information to facilitate debugging these bugs so we should include it. While this is fixed in Quantal already we want to be able to help people upgrading to Quantal so should include this fix in Precise.

[Test Case]
1) Create a file /etc/apt/sources.list.d/my-ppa.list with a line like so:
'deb http://bdmurray:<email address hidden>/bdmurray/hda/ubuntu precise main'
2) execute save-state.py attached to this bug report
3
) You'll have two files in /tmp/ unscrubbed-apt-clone_system_state.tar.gz and scrubbed-apt-clone_system_state.tar.gz
With the version of apt-clone in precise the contents of both tar.gz's will be the same and you'll see your username and password in them.
With the version of apt-clone from precise-proposed the content of tar.gz's will be different and in the scrubbed-apt-clone you will not see the username and password instead they will be replaced with USERNAME:PASSWORD.

[Regression Potential]
None with apt-clone itself as scrub_sources defaults to False. The possibility for a regression exists with the update to update-manager.

Revision history for this message
Brian Murray (brian-murray) wrote :

This is the python script that utilizes apt clone and creates system state files in /tmp for testing the SRU.

Changed in apt-clone (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Revision history for this message
Brian Murray (brian-murray) wrote :

This was already fixed in Quantal:

apt-clone (0.2.3~ubuntu2) quantal; urgency=low

  * apt_clone.py:
    - if specified remove usernames and passwords from sources files

 -- Brian Murray <email address hidden> Mon, 02 Jul 2012 13:54:34 -0700

Changed in apt-clone (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Brian Murray (brian-murray)
Revision history for this message
Scott Kitterman (kitterman) wrote : Please test proposed package

Hello Brian, or anyone else affected,

Accepted into precise-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt-clone (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

SRU verification for Precise:
I have reproduced the problem with apt-clone 0.2.2 in precise but the verification of apt-clone 0.2.2ubuntu2 in -proposed failed to fix the issue.

The resulting clone file still contains username and password in the source entry.

the provided script 'save-state.py' also fail with the version of apt-clone in precise-release. Instead I ran:
$ sudo apt-clone clone DESTINATION_DIR
unpacked the clone and verified the content of the sources files, which were identical.

Marking as verification-failed

tags: added: verification-failed
removed: verification-needed
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Note that I also used save_state.py with the version of apt-clone from -proposed and the files scrubbed and unscrubbed are identical

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Nevermind, the ppa entry I created was not a valid source entry. I corrected it and now the scrubbed file contains the expected USERNAME:PASSWORD instead of the real username and password, and the unscrubbed file contains the original username and password.

Marking as verification-done.

tags: added: verification-done
removed: verification-failed
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt-clone - 0.2.2ubuntu2

---------------
apt-clone (0.2.2ubuntu2) precise-proposed; urgency=low

  * apt_clone.py: fix with syntax to work with python2.6

apt-clone (0.2.2ubuntu1) precise-proposed; urgency=low

  * apt_clone.py:
    - if specified remove usernames and passwords from sources files
      (LP: #1029021)
 -- Brian Murray <email address hidden> Thu, 09 Aug 2012 13:10:17 -0700

Changed in apt-clone (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments