2012-03-19 09:46:25 |
Sebastian Heinlein |
bug |
|
|
added bug |
2012-03-19 09:46:25 |
Sebastian Heinlein |
attachment added |
|
security_check_unauthenticated.patch https://bugs.launchpad.net/bugs/959131/+attachment/2896326/+files/security_check_unauthenticated.patch |
|
2012-03-19 09:46:56 |
Sebastian Heinlein |
bug |
|
|
added subscriber Michael Vogt |
2012-03-19 09:47:26 |
Sebastian Heinlein |
attachment added |
|
fix_deferred_simulate.patch https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+attachment/2896327/+files/fix_deferred_simulate.patch |
|
2012-03-19 09:48:50 |
Michael Vogt |
aptdaemon (Ubuntu): status |
New |
In Progress |
|
2012-03-19 09:56:39 |
Sebastian Heinlein |
attachment added |
|
security_check_unauthenticated_2.patch https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+attachment/2896348/+files/security_check_unauthenticated_2.patch |
|
2012-03-19 10:15:59 |
Sebastian Heinlein |
attachment removed |
security_check_unauthenticated.patch https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+attachment/2896326/+files/security_check_unauthenticated.patch |
|
|
2012-03-19 10:16:09 |
Sebastian Heinlein |
attachment removed |
security_check_unauthenticated_2.patch https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+attachment/2896348/+files/security_check_unauthenticated_2.patch |
|
|
2012-03-19 10:16:42 |
Sebastian Heinlein |
attachment added |
|
security_fix_install_unauthenticated_packages_oneiric.patch https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+attachment/2896443/+files/security_fix_install_unauthenticated_packages_oneiric.patch |
|
2012-03-19 10:17:29 |
Sebastian Heinlein |
attachment added |
|
security_fix_install_unauthenticated_packages_natty.patch https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+attachment/2896447/+files/security_fix_install_unauthenticated_packages_natty.patch |
|
2012-03-19 10:20:50 |
Sebastian Heinlein |
description |
Aptdaemon allows to install unauthenticated packages using software-center or update-manager.
Background: Aptdaemon only checks for unauthenticated packages during the simulation of a transaction. Normally aptdaemon should simulate every transaction before it is queued, even if the client hasn't explicitly called the Simulate method of the transaction before (e.g. update-manager and software-center don't simulate the transactions). But there is an error in aptdaemon.core.TransactionQueue.put() which results in the transactions being queued and applied before they are simulated.
Two steps are required to resolve this issue:
(1) Perform a re-check of unauthenticated packages directly before applying the changes
(2) Fix the automatic simulation of transactions [But this part could be skipped for a security fix release]
Thanks a lot to Michael Vogt for detecing and providing a fix for this issue. |
Aptdaemon allows to install unauthenticated packages using software-center or update-manager.
The version of aptdaemon in Natty, Oneiric and Precise are affected. Dear security team, could you please apply the attached securtiy_fix_install_unauthenticated_packages_(oneric|natty) patches to the corresponding releases?
The version in Precise will be fixed by a new upstream snapshot release and will also inculde the fixed deffered simulation patch.
Background: Aptdaemon only checks for unauthenticated packages during the simulation of a transaction. Normally aptdaemon should simulate every transaction before it is queued, even if the client hasn't explicitly called the Simulate method of the transaction before (e.g. update-manager and software-center don't simulate the transactions). But there is an error in aptdaemon.core.TransactionQueue.put() which results in the transactions being queued and applied before they are simulated.
Two steps are required to resolve this issue:
(1) Perform a re-check of unauthenticated packages directly before applying the changes
(2) Fix the automatic simulation of transactions [But this part could be skipped for a security fix release]
Thanks a lot to Michael Vogt for detecing and providing a fix for this issue. |
|
2012-03-28 12:12:17 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Natty |
|
2012-03-28 12:12:17 |
Marc Deslauriers |
bug task added |
|
aptdaemon (Ubuntu Natty) |
|
2012-03-28 12:12:17 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Oneiric |
|
2012-03-28 12:12:17 |
Marc Deslauriers |
bug task added |
|
aptdaemon (Ubuntu Oneiric) |
|
2012-03-28 12:12:17 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Precise |
|
2012-03-28 12:12:17 |
Marc Deslauriers |
bug task added |
|
aptdaemon (Ubuntu Precise) |
|
2012-03-28 12:12:26 |
Marc Deslauriers |
aptdaemon (Ubuntu Natty): status |
New |
Confirmed |
|
2012-03-28 12:12:28 |
Marc Deslauriers |
aptdaemon (Ubuntu Oneiric): status |
New |
Confirmed |
|
2012-03-28 12:12:30 |
Marc Deslauriers |
aptdaemon (Ubuntu Natty): importance |
Undecided |
Critical |
|
2012-03-28 12:12:32 |
Marc Deslauriers |
aptdaemon (Ubuntu Oneiric): importance |
Undecided |
Critical |
|
2012-03-28 12:12:34 |
Marc Deslauriers |
aptdaemon (Ubuntu Natty): assignee |
|
Marc Deslauriers (mdeslaur) |
|
2012-03-28 12:12:36 |
Marc Deslauriers |
aptdaemon (Ubuntu Oneiric): assignee |
|
Marc Deslauriers (mdeslaur) |
|
2012-03-28 12:24:25 |
Marc Deslauriers |
cve linked |
|
2012-0944 |
|
2012-03-28 12:27:08 |
Marc Deslauriers |
summary |
Doens't detect unauthenticated packages if the transaction hasn't been simulated before |
Doesn't detect unauthenticated packages if the transaction hasn't been simulated before |
|
2012-03-28 12:35:07 |
Marc Deslauriers |
aptdaemon (Ubuntu Precise): assignee |
|
Michael Vogt (mvo) |
|
2012-03-29 17:29:00 |
Marc Deslauriers |
bug |
|
|
added subscriber Luk Claes |
2012-04-02 17:03:28 |
Launchpad Janitor |
aptdaemon (Ubuntu Oneiric): status |
Confirmed |
Fix Released |
|
2012-04-02 17:03:28 |
Launchpad Janitor |
aptdaemon (Ubuntu Natty): status |
Confirmed |
Fix Released |
|
2012-04-02 17:11:19 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/natty-security/aptdaemon |
|
2012-04-02 17:12:35 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/oneiric-security/aptdaemon |
|
2012-04-02 17:15:40 |
Launchpad Janitor |
aptdaemon (Ubuntu Precise): status |
In Progress |
Fix Released |
|
2012-04-02 17:23:22 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/aptdaemon |
|
2012-04-02 17:37:05 |
Marc Deslauriers |
bug |
|
|
added subscriber Kees Cook |
2012-04-02 17:42:03 |
Marc Deslauriers |
visibility |
private |
public |
|