Doesn't detect unauthenticated packages if the transaction hasn't been simulated before

Bug #959131 reported by Sebastian Heinlein on 2012-03-19
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Critical
Michael Vogt
Natty
Critical
Marc Deslauriers
Oneiric
Critical
Marc Deslauriers
Precise
Critical
Michael Vogt

Bug Description

Aptdaemon allows to install unauthenticated packages using software-center or update-manager.

The version of aptdaemon in Natty, Oneiric and Precise are affected. Dear security team, could you please apply the attached securtiy_fix_install_unauthenticated_packages_(oneric|natty) patches to the corresponding releases?

The version in Precise will be fixed by a new upstream snapshot release and will also inculde the fixed deffered simulation patch.

Background: Aptdaemon only checks for unauthenticated packages during the simulation of a transaction. Normally aptdaemon should simulate every transaction before it is queued, even if the client hasn't explicitly called the Simulate method of the transaction before (e.g. update-manager and software-center don't simulate the transactions). But there is an error in aptdaemon.core.TransactionQueue.put() which results in the transactions being queued and applied before they are simulated.

Two steps are required to resolve this issue:

(1) Perform a re-check of unauthenticated packages directly before applying the changes

(2) Fix the automatic simulation of transactions [But this part could be skipped for a security fix release]

Thanks a lot to Michael Vogt for detecing and providing a fix for this issue.

Sebastian Heinlein (glatzor) wrote :

Fix simulating before applying

Michael Vogt (mvo) on 2012-03-19
Changed in aptdaemon (Ubuntu):
status: New → In Progress
Sebastian Heinlein (glatzor) wrote :

An updated version of the security fix which also sets the unauthenticated attribute of the transaction.

Sebastian Heinlein (glatzor) wrote :

The fix for Oneiric

Sebastian Heinlein (glatzor) wrote :

The security fix for natty

description: updated
Sebastian Heinlein (glatzor) wrote :

Any updates on this issue?

Changed in aptdaemon (Ubuntu Natty):
status: New → Confirmed
Changed in aptdaemon (Ubuntu Oneiric):
status: New → Confirmed
Changed in aptdaemon (Ubuntu Natty):
importance: Undecided → Critical
Changed in aptdaemon (Ubuntu Oneiric):
importance: Undecided → Critical
Changed in aptdaemon (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in aptdaemon (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0944

Let's coordinate a CRD for 2012-04-02.

summary: - Doens't detect unauthenticated packages if the transaction hasn't been
+ Doesn't detect unauthenticated packages if the transaction hasn't been
simulated before
Changed in aptdaemon (Ubuntu Precise):
assignee: nobody → Michael Vogt (mvo)

Marc Deslauriers <email address hidden> schrieb:

>** Changed in: aptdaemon (Ubuntu Precise)
> Assignee: (unassigned) => Michael Vogt (mvo)
>
>--
>You received this bug notification because you are subscribed to the
>bug
>report.
>https://bugs.launchpad.net/bugs/959131
>
>Title:
> Doesn't detect unauthenticated packages if the transaction hasn't been
> simulated before
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+subscriptions

Could you please coordinate with debian? Testing/unstable is also affected. Thanks
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Marc Deslauriers (mdeslaur) wrote :

I did, I sent out and email to <email address hidden> this morning.

Sebastian Heinlein (glatzor) wrote :

Marc Deslauriers <email address hidden> schrieb:

>I did, I sent out and email to <email address hidden> this morning.
>
>--
>You received this bug notification because you are subscribed to the
>bug
>report.
>https://bugs.launchpad.net/bugs/959131
>
>Title:
> Doesn't detect unauthenticated packages if the transaction hasn't been
> simulated before
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+subscriptions

Thanks a lot
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.43+bzr697-0ubuntu1.2

---------------
aptdaemon (0.43+bzr697-0ubuntu1.2) oneiric-security; urgency=low

  * SECURITY UPDATE: unauthenticated package installation (LP: #959131)
    - debian/patches/04_CVE-2012-0944.patch: properly handle
      unauthenticated packages in aptdaemon/worker.py.
    - CVE-2012-0944
  * This package does _not_ contain the changes from 0.43+bzr697-0ubuntu1.1
    in oneiric-proposed.
 -- Marc Deslauriers <email address hidden> Wed, 28 Mar 2012 13:46:00 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.41+bzr661-0ubuntu0.2

---------------
aptdaemon (0.41+bzr661-0ubuntu0.2) natty-security; urgency=low

  * SECURITY UPDATE: unauthenticated package installation (LP: #959131)
    - debian/patches/04_CVE-2012-0944.patch: properly handle
      unauthenticated packages in aptdaemon/worker.py.
    - CVE-2012-0944
 -- Marc Deslauriers <email address hidden> Wed, 28 Mar 2012 13:54:38 -0400

Changed in aptdaemon (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in aptdaemon (Ubuntu Oneiric):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.43+bzr790-0ubuntu1

---------------
aptdaemon (0.43+bzr790-0ubuntu1) precise; urgency=low

  New upstream snapshot:
  * merged patch for LP: #959131 (CVE 2012-0944)
  * pkcompat: Don't crash if the system time went backwards during a
    transaction (Fixes LP: #940367)
  * worker: catch SystemErrors from python-apt when performing a system
    upgrade (fixes LP: #932581)
  * pkcompat: Don't crash if an unsupported locale is used for the
    transaction, fixes LP: #944553
  * Fix download progress information for translations of languages with
    an ISO 639 2T code (3 letters), e.g. Asturian (ast) - fixes LP: #966111
  * test: Add a test to ensure that every transaction is simulated
    before it gets queued.
 -- Michael Vogt <email address hidden> Mon, 02 Apr 2012 19:04:16 +0200

Changed in aptdaemon (Ubuntu Precise):
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers