Dell Latitude 2110 ships insecure apt configuration

Bug #610647 reported by Tony Espy on 2010-07-27
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
base-files (Ubuntu)
High
Martin Pitt
Karmic
High
Martin Pitt
Lucid
High
Martin Pitt
Maverick
High
Martin Pitt

Bug Description

Binary package hint: base-files

The Dell Lattitude 2110 factory pre-installed image is based on Ubuntu Netbook Remix 9.10. Due to a bug in the build process for this OEM image, a configuration variable which was thought to only effect the image build process, actually affected installed systems. The live-helper option LH_APT_SECURE set to "disabled". This resulted in the file /etc/apt/apt.conf.d/00secure, which contains the following:

APT::Get::AllowUnauthenticated "true";
Aptitude::CmdLine::Ignore-Trust-Violations "true";

The latter apt setting is the main concern. The setting includes "CmdLine". Not being an apt expert, I'm not sure whether this directly effects Synaptics, Update Manager, however it does open the system up for command-line operations.

This has been blogged about:

http://losca.blogspot.com/2010/07/unboxing-and-tinkering-dell-latitude.html

The plan is to match on the md5sum of the file if found, and delete it. I will attach the file and md5sum in a comment.

Tony Espy (awe) wrote :

steve@daphne:/media/foo/etc/apt/apt.conf.d$ md5sum 00secure
da402e2c3a805e234ae7d20fa55580a6 00secure

Martin Pitt (pitti) on 2010-07-28
Changed in base-files (Ubuntu Karmic):
status: New → Triaged
Changed in base-files (Ubuntu Lucid):
status: New → Triaged
Changed in base-files (Ubuntu Maverick):
status: New → Triaged
Changed in base-files (Ubuntu Karmic):
importance: Undecided → High
Changed in base-files (Ubuntu Lucid):
importance: Undecided → High
Changed in base-files (Ubuntu Maverick):
importance: Undecided → High
Martin Pitt (pitti) on 2010-07-28
Changed in base-files (Ubuntu Maverick):
assignee: nobody → Martin Pitt (pitti)
Changed in base-files (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
Changed in base-files (Ubuntu Karmic):
assignee: nobody → Martin Pitt (pitti)
Martin Pitt (pitti) wrote :

Update for lucid. I tested all 6 combinations of (lucid-updates -> this version, this version -> this version) x (no 00secure, original 00secure, modified 00secure).

The maverick update is not that important I think, but it's such a simple fix that we should just provide it anyway. I'll upload it when I get the security team's "go" for publishing the bug and the update.

Security team, do you want to assign a CVE to this? If so, please add it to the changelog when you upload this.

Karmic update will come in a bit.

Changed in base-files (Ubuntu Lucid):
status: Triaged → Fix Committed
Martin Pitt (pitti) wrote :

Corresponding karmic update, tested the same way.

Changed in base-files (Ubuntu Karmic):
status: Triaged → Fix Committed
Martin Pitt (pitti) wrote :

Maverick update. I can upload this myself once we settle the CVE question and security team acks/processes the lucid/karmic updates.

Changed in base-files (Ubuntu Maverick):
status: Triaged → Fix Committed

CVE-2010-0834

I will get these uploaded for building to the security queue. Thanks for
preparing the fixes!

Kees Cook (kees) on 2010-08-05
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 5.0.0ubuntu20.10.04.2

---------------
base-files (5.0.0ubuntu20.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: unauthenticated software installations.
    - debian/postinst.in: A bug in the build process for the Dell Latitude
      2110 factory pre-installed OEM images caused a temporary apt
      configuration file to be left in the installed system. This disabled
      apt's enforcement of authenticated packages. Remove the file on
      upgrades if it matches the factory version. (LP: #610647)
    - CVE-2010-0834
 -- Martin Pitt <email address hidden> Wed, 28 Jul 2010 17:54:43 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 5.0.0ubuntu7.1

---------------
base-files (5.0.0ubuntu7.1) karmic-security; urgency=low

  * SECURITY UPDATE: unauthenticated software installations.
    - debian/postinst.in: A bug in the build process for the Dell Latitude
      2110 factory pre-installed OEM images caused a temporary apt
      configuration file to be left in the installed system. This disabled
      apt's enforcement of authenticated packages. Remove the file on
      upgrades if it matches the factory version. (LP: #610647)
    - CVE-2010-0834
 -- Martin Pitt <email address hidden> Wed, 28 Jul 2010 18:38:33 +0200

Changed in base-files (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in base-files (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 5.0.0ubuntu22

---------------
base-files (5.0.0ubuntu22) maverick; urgency=low

  * debian/postinst.in: A bug in the build process for the Dell Latitude 2110
    factory pre-installed OEM images caused a temporary apt configuration file
    to be left in the installed system. This disabled apt's enforcement of
    authenticated packages. Remove the file on upgrades if it matches the
    factory version. (LP: #610647)
 -- Martin Pitt <email address hidden> Wed, 28 Jul 2010 18:46:45 +0200

Changed in base-files (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in base-files (Ubuntu Karmic):
status: Fix Released → Incomplete
Martin Pitt (pitti) on 2010-08-25
Changed in base-files (Ubuntu Karmic):
status: Incomplete → Fix Released
Changed in base-files (Ubuntu):
status: Fix Released → New
Martin Pitt (pitti) on 2010-10-12
Changed in base-files (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments