lastpass-cli changed bundled CA certificates

Bug #1555562 reported by Nikolay Turpitko on 2016-03-10
110
This bug affects 25 people
Affects Status Importance Assigned to Milestone
lastpass-cli (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Nafallo Bjälevik

Bug Description

[Impact]

lastpass.com provisioned a new SSL certificate on their servers.
Their packaged client use their API via SSL, and pin which certificates are allowed to sign their certificate.
Since the new certificate is signed by certificate not in the list, we need to patch it in for the client to allow connections.

The client in it's current state is useless and errors out with: "Error: Peer certificate cannot be authenticated with given CA certificates." for all operations working against the API, which is almost all of them.

Upstream bug: https://github.com/lastpass/lastpass-cli/issues/409
Upstream fix: https://github.com/lastpass/lastpass-cli/commit/b888411b042df9414d1d78d99332b672e65c4eb9

[Test Case]

`lpass login <email address hidden>` will cause an error: "Error: Peer certificate cannot be authenticated with given CA certificates."

[Regression Potential]

The application is already unusable, but even if we consider a working version we're only adding a couple of SSL certificates to the validation list.

[Other info]

I would suggest we pocket copy lastpass-cli=1.0.0-1.2ubuntu2 from cosmic to bionic-proposed.

Nikolay Turpitko (nikolay-w) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lastpass-cli (Ubuntu):
status: New → Confirmed
Nikolay Turpitko (nikolay-w) wrote :

Sorry, I've forgot about this one.
I built package from github sources, it works well. So, I suppose it just enough to rebuild it for the repository.

Lithi (lithi) wrote :

I confirm this bug also:

$ lpass login --trust <email address hidden>
Error: Peer certificate cannot be authenticated with given CA certificates.

Package: lastpass-cli
Architecture: amd64
Version: 0.7.0-1

Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

Bob Copeland (copeland) wrote :

Maintainer from lastpass here: ubuntu, please just update the build to (at least) 0.7.2 (https://github.com/lastpass/lastpass-cli/releases/tag/v0.7.2) which will fix this; it is still broken in xenial. Versions in yakkety and zesty should be fine.

Bob Copeland (copeland) wrote :

Also if we can help in this somehow (such as by providing built packages) let me know.

Ross Golder (ross-golder) wrote :

Come on please, maintainer. Seems this package has been broken and out-of-date for a while now :(

libsys (libsys) wrote :

Would it be possible to simply hand over maintainership of this package to lastpass?

Esko Järnfors (esko-jarnfors) wrote :

This package is currently unusable because of this bug. It should either be fixed or removed altogether from xenial -- the current (longstanding) situation is not bearable and does not look very good. :(

Julian Mehnle (jmehnle) wrote :

It's true that the package is unusable on xenial as it is. However, there's a practical workaround: install the package from the artful release. It has no problematic dependencies. :-)

Changed in lastpass-cli (Ubuntu):
assignee: nobody → Nafallo Bjälevik (nafallo)
status: Confirmed → In Progress
Nafallo Bjälevik (nafallo) wrote :

This happened again today, so all supported releases should probably need fixing.

Nafallo Bjälevik (nafallo) wrote :
Changed in lastpass-cli (Ubuntu):
status: In Progress → Fix Committed
Changed in lastpass-cli (Ubuntu Bionic):
assignee: nobody → Nafallo Bjälevik (nafallo)
status: New → In Progress
description: updated
tags: added: verification-needed-bionic
removed: amd64 apport-bug wily
Nick Moffitt (nick-moffitt) wrote :

Nafallo, do you know when 1.0.0-1.2ubuntu2 will appear in the pool? I'd like to test it.

Nick Moffitt (nick-moffitt) wrote :

Nafallo, I applied your debdiff to a local build and that sorted me out. Do you have a PPA for this?

Nafallo Bjälevik (nafallo) wrote :

Sorry, no, but I built a bionic version in an LXD guest and uploaded it to:
http://people.ubuntu.com/~nafallo/lastpass-cli/bionic/

My plan is to get it sponsored to cuttlefish and then get an SRU done for 18.04.

zasran (erik-zasran) wrote :

Why is this hardcoded instead of being configurable? The problem keeps happening again and again rendering lpass useless for long period of times and there doesn't seem to be any improvement in sight.

Changed in lastpass-cli (Ubuntu):
status: Fix Committed → Fix Released
assignee: Nafallo Bjälevik (nafallo) → nobody
Didier Roche (didrocks) wrote :

Nafallo confirmed cosmic is fixed.

Nafallo Bjälevik (nafallo) wrote :

Debdiff against 18.04.

Changed in lastpass-cli (Ubuntu Bionic):
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Robie Basak (racb) wrote :

> Would it be possible to simply hand over maintainership of this package to lastpass?

For the record, Ubuntu packages are team maintained. Anyone can volunteer a suitable update to Ubuntu; this isn't restricted to specific "maintainers". If lastpass are interested in helping to look after this package in Ubuntu, we'd love to have you do so.

Robie Basak (racb) wrote :

SRU review: this looks fine, except that Launchpad-Bugs-Fixed is missing from the changes file. Can whoever sponsored this upload please ping me, and I'll explain? In the meantime, I'll see about fixing this up myself (after lunch) to avoid holding things up unnecessarily.

Hello Nikolay, or anyone else affected,

Accepted lastpass-cli into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lastpass-cli/1.0.0-1.2ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lastpass-cli (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed
Nikolay Turpitko (nikolay-w) wrote :

Hi Robie and others,

Sorry guys, since I reported this bug 2 years ago, I gradually switched to Debian system and pass/gopass password manager (even deleted lastpass account). So, currently I don't use neither Ubuntu nor lastpass daily (not because they are any bad, but due personal preferences). For testing new package I'll need couple hours of spare time, which I don't have right now. So, don't wait me, someone else please take an action.

Junien Fridrick (axino) wrote :

-proposed package works for me and resolves the CA issue.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
tags: added: verification-done

The verification of the Stable Release Update for lastpass-cli has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lastpass-cli - 1.0.0-1.2ubuntu2

---------------
lastpass-cli (1.0.0-1.2ubuntu2) bionic; urgency=medium

  * Add debian/patches/0004-revert-removed-certificate-pins.patch:
    - Cherry-pick upstream commit b888411 to revert 46e2a0f
      that disabled some GlobalSign intermediate certificates.
    - This make the client start working again after the LastPass
      servers updated their certificate (LP: #1555562).

 -- Nafallo Bjälevik <email address hidden> Thu, 17 May 2018 14:18:00 +0000

Changed in lastpass-cli (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.