Information disclosure in org.debian.apt.UpdateCachePartially

Bug #722228 reported by Sergey Nizovtsev on 2011-02-20
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Medium
monty
Maverick
Medium
Marc Deslauriers
Natty
Medium
Michael Vogt

Bug Description

Binary package hint: aptdaemon

Starting from Ubuntu 10.10 aptdaemon shipped with Ubuntu allows normal users to update APT cache without password prompt (because they granted PolicyKit's org.debian.apt.update-cache action by default). UpdateCachePartially method doesn't check "sources_list" argument properly and it's possible to use it for viewing any file in the system. See proof-of-concept python script for details.

How to test: login into normal ubuntu user, and run "python apt-hole /etc/shadow" (for example) to see /etc/shadow content.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: python-aptdaemon 0.40+bzr541-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.38-4.31-generic 2.6.38-rc5
Uname: Linux 2.6.38-4-generic x86_64
Architecture: amd64
Date: Sun Feb 20 20:00:09 2011
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=ru:en
 PATH=(custom, user)
 LANG=ru_RU.UTF-8
 LC_MESSAGES=ru_RU.UTF-8
 SHELL=/bin/bash
SourcePackage: aptdaemon

Sergey Nizovtsev (snizovtsev) wrote :
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this. I can confirm this flaw on Maverick.

Changed in aptdaemon (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in aptdaemon (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Medium
Changed in aptdaemon (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in aptdaemon (Ubuntu Natty):
assignee: nobody → Michael Vogt (mvo)
Michael Vogt (mvo) on 2011-02-21
Changed in aptdaemon (Ubuntu Maverick):
status: Confirmed → In Progress
Changed in aptdaemon (Ubuntu Natty):
status: Confirmed → In Progress
Michael Vogt (mvo) wrote :

Thanks a lot for this bugreport. Attached is a fix that should procted from this bug without breaking
anything in maverick. I tested it against the software-center and did not notice any regressions.

Marc Deslauriers (mdeslaur) wrote :

We are currently preparing security updates for this issue.

Please do not release a fix, make public revision control commits, comment in public bug reports or otherwise disclose information about this issue until the security updates have been published.

Thanks.

Marc Deslauriers (mdeslaur) wrote :

@Sergey: we usually credit the person who discovered security issues in our Ubuntu Security Notice. If youdo not want to be credited, please say so before we publish. Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.31+bzr506-0ubuntu6.1

---------------
aptdaemon (0.31+bzr506-0ubuntu6.1) maverick-security; urgency=low

  * SECURITY UPDATE: Unprivileged arbitrary file disclosure (LP: #722228)
    - debian/patches/11_fix_lp722228.patch: only allow alternative
      sources.list files inside the sources.list.d directory in
      aptdaemon/worker.py. Add test to aptdaemon/test/test_lp722228.py.
    - CVE-2011-0725
  * This update does NOT include the changes from 0.31+bzr506-0ubuntu6 that
    was in -proposed.
 -- Marc Deslauriers <email address hidden> Tue, 22 Feb 2011 08:06:34 -0500

Changed in aptdaemon (Ubuntu Maverick):
status: In Progress → Fix Released
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.41+bzr586-0ubuntu1

---------------
aptdaemon (0.41+bzr586-0ubuntu1) natty; urgency=low

  * new bzr snapshot that contains a security fix for
    LP: #722228
  * support for set-candidate-release added
  * debian/control:
    - remove python-{unittest2,mock} from the build-depends
    - build for python >= 2.7
  * disable testsuite during build time until the MIR for
    python-{unittest2,mock} are done
 -- Michael Vogt <email address hidden> Tue, 22 Feb 2011 16:18:34 +0100

Changed in aptdaemon (Ubuntu Natty):
status: In Progress → Fix Released
akram (awartany) wrote :

<email address hidden>

Changed in aptdaemon (Ubuntu):
assignee: Michael Vogt (mvo) → akram (awartany)
Changed in aptdaemon (Ubuntu):
assignee: akram (awartany) → Michael Vogt (mvo)
kent (kentc34) on 2012-09-07
Changed in aptdaemon (Ubuntu):
assignee: Michael Vogt (mvo) → kent (kentc34)
monty (mantukumar359) on 2015-07-03
Changed in aptdaemon (Ubuntu):
assignee: kent (kentc34) → monty (mantukumar359)
chuangwen (drxiaowen) on 2016-06-27
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers