Doesn't detect unauthenticated packages if the transaction hasn't been simulated before
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aptdaemon (Ubuntu) |
Fix Released
|
Critical
|
Michael Vogt | ||
Natty |
Fix Released
|
Critical
|
Marc Deslauriers | ||
Oneiric |
Fix Released
|
Critical
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Critical
|
Michael Vogt |
Bug Description
Aptdaemon allows to install unauthenticated packages using software-center or update-manager.
The version of aptdaemon in Natty, Oneiric and Precise are affected. Dear security team, could you please apply the attached securtiy_
The version in Precise will be fixed by a new upstream snapshot release and will also inculde the fixed deffered simulation patch.
Background: Aptdaemon only checks for unauthenticated packages during the simulation of a transaction. Normally aptdaemon should simulate every transaction before it is queued, even if the client hasn't explicitly called the Simulate method of the transaction before (e.g. update-manager and software-center don't simulate the transactions). But there is an error in aptdaemon.
Two steps are required to resolve this issue:
(1) Perform a re-check of unauthenticated packages directly before applying the changes
(2) Fix the automatic simulation of transactions [But this part could be skipped for a security fix release]
Thanks a lot to Michael Vogt for detecing and providing a fix for this issue.
CVE References
Changed in aptdaemon (Ubuntu): | |
status: | New → In Progress |
Changed in aptdaemon (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in aptdaemon (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in aptdaemon (Ubuntu Natty): | |
importance: | Undecided → Critical |
Changed in aptdaemon (Ubuntu Oneiric): | |
importance: | Undecided → Critical |
Changed in aptdaemon (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in aptdaemon (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in aptdaemon (Ubuntu Precise): | |
assignee: | nobody → Michael Vogt (mvo) |
visibility: | private → public |
Fix simulating before applying