Information disclosure in org.debian.apt.UpdateCachePartially
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aptdaemon (Ubuntu) |
Fix Released
|
Medium
|
Michael Vogt | ||
Maverick |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Natty |
Fix Released
|
Medium
|
Michael Vogt |
Bug Description
Binary package hint: aptdaemon
Starting from Ubuntu 10.10 aptdaemon shipped with Ubuntu allows normal users to update APT cache without password prompt (because they granted PolicyKit's org.debian.
How to test: login into normal ubuntu user, and run "python apt-hole /etc/shadow" (for example) to see /etc/shadow content.
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: python-aptdaemon 0.40+bzr541-
ProcVersionSign
Uname: Linux 2.6.38-4-generic x86_64
Architecture: amd64
Date: Sun Feb 20 20:00:09 2011
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
PackageArchitec
ProcEnviron:
LANGUAGE=ru:en
PATH=(custom, user)
LANG=ru_RU.UTF-8
LC_MESSAGES=
SHELL=/bin/bash
SourcePackage: aptdaemon
CVE References
Changed in aptdaemon (Ubuntu Maverick): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in aptdaemon (Ubuntu Maverick): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in aptdaemon (Ubuntu Natty): | |
assignee: | nobody → Michael Vogt (mvo) |
Changed in aptdaemon (Ubuntu Maverick): | |
status: | Confirmed → In Progress |
Changed in aptdaemon (Ubuntu Natty): | |
status: | Confirmed → In Progress |
visibility: | private → public |
Changed in aptdaemon (Ubuntu): | |
assignee: | akram (awartany) → Michael Vogt (mvo) |
Changed in aptdaemon (Ubuntu): | |
assignee: | Michael Vogt (mvo) → kent (kentc34) |
Changed in aptdaemon (Ubuntu): | |
assignee: | kent (kentc34) → monty (mantukumar359) |
description: | updated |
Changed in aptdaemon (Ubuntu): | |
assignee: | monty (mantukumar359) → jeffrey Ortiz (jerfdog361) |
information type: | Public Security → Private Security |
information type: | Private Security → Public Security |
Changed in aptdaemon (Ubuntu): | |
assignee: | jeffrey Ortiz (jerfdog361) → Michael Vogt (mvo) |
Thanks for reporting this. I can confirm this flaw on Maverick.