Ubuntu
apt package

Captive WiFi portals corrupt package lists

Bug #1034834 reported by TJ on 2012-08-09

This bug report is a duplicate of: Bug #756317: Captive portals may corrupt apt translation indices. Edit Remove

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	apt (Ubuntu)	Confirmed	Undecided	Unassigned	Ubuntu precise-updates
Nominated for Precise by TJ

Bug Description

I've dealt with several users reporting apt is broken. The cause is corrupted package lists in /var/lib/apt/lists/ caused by captive portals on WiFi networks that are returning HTTP 200 responses but with the content being the captive portal's login page.

apt doesn't realise the content is invalid - it doesn't check the signature - before writing it to the system.

This affects Precise users with apt 0.8.16.

It shouldn't affect Quantal's 0.9.7 since that apparently checks the gpg signatures.

Revision history for this message

Paul F (boxjunk) wrote on 2012-09-25:

Example corrupted package list file from /var/lib/apt/lists Edit (6.7 KiB, text/html)

Still present in 12.04 LTS, Precise running apt 0.8.16

In my case the corrupted package list files in /var/lib/apt/lists are caused by the router redirecting to an internal help page when it realises that its internet connection is down. So, when a fetch is attempted from, say gb.archive.ubuntu.com/ubuntu/dists/precise-updates/universe/binary-i386/Packages when checking for updates what comes back is the html source from the router's help page (example attached -- line 52 contains the requested url).

It would appear that no sanity check is done on the returned data leaving subsequent parse attempts to choke. The corrupted files remain and may propagate (???) causing other update failures.

On a security note, it occurs to me that an attacker in control of the router could return crafted files in place of apt's package lists to introduce malware as part of the normal automated update process. I trust checks are in place to prevent this???

Revision history for this message

Paul F (boxjunk) wrote on 2012-09-25:

See also Bug #1034834

Revision history for this message

Ben Nuttall (bennuttall) wrote on 2012-12-03:

This bug affects me on Quantal, running apt 0.9.7.5ubuntu5.1

When I connect to a LAN (not connected to the Internet), I get a stop sign icon in my indicator area. Once reconnected to the Internet I get a similar error when running apt-get update:

Reading package lists... Error!
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://extras.ubuntu.com quantal Release: The following signatures were invalid: BADSIG 16126D3A3E5C1192 Ubuntu Extras Archive Automatic Signing Key <email address hidden>

[...]

E: Encountered a section with no Package: header
E: Problem with MergeList /var/lib/apt/lists/gb.archive.ubuntu.com_ubuntu_dists_quantal_main_i18n_Translation-en
E: The package lists or status file could not be parsed or opened.

As a resolution for this, I have to empty /var/lib/apt/lists/ and run apt-get update, upgrade and update again.