| 2012-06-02 11:44:01 |
Matthias Klumpp |
bug |
|
|
added bug |
| 2012-06-05 19:00:40 |
Matthias Klumpp |
bug |
|
|
added subscriber Michael Vogt |
| 2012-06-22 20:05:12 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Lucid |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
bug task added |
|
packagekit (Ubuntu Lucid) |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Natty |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
bug task added |
|
packagekit (Ubuntu Natty) |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Oneiric |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
bug task added |
|
packagekit (Ubuntu Oneiric) |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Quantal |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
bug task added |
|
packagekit (Ubuntu Quantal) |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Precise |
|
| 2012-06-22 20:05:12 |
Jamie Strandboge |
bug task added |
|
packagekit (Ubuntu Precise) |
|
| 2012-06-22 20:06:00 |
Jamie Strandboge |
packagekit (Ubuntu Lucid): status |
New |
Triaged |
|
| 2012-06-22 20:06:01 |
Jamie Strandboge |
packagekit (Ubuntu Lucid): importance |
Undecided |
Medium |
|
| 2012-06-22 20:06:24 |
Jamie Strandboge |
packagekit (Ubuntu Natty): status |
New |
Triaged |
|
| 2012-06-22 20:06:25 |
Jamie Strandboge |
packagekit (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2012-06-22 20:06:26 |
Jamie Strandboge |
packagekit (Ubuntu Oneiric): status |
New |
Triaged |
|
| 2012-06-22 20:06:26 |
Jamie Strandboge |
packagekit (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2012-06-22 20:06:27 |
Jamie Strandboge |
packagekit (Ubuntu Precise): status |
New |
Triaged |
|
| 2012-06-22 20:06:28 |
Jamie Strandboge |
packagekit (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-06-22 20:06:43 |
Jamie Strandboge |
packagekit (Ubuntu Quantal): importance |
High |
Low |
|
| 2012-06-22 20:06:43 |
Jamie Strandboge |
packagekit (Ubuntu Quantal): status |
New |
Fix Released |
|
| 2012-06-22 20:07:51 |
Jamie Strandboge |
visibility |
private |
public |
|
| 2012-06-22 21:44:15 |
Matthias Klumpp |
description |
Hi!
The Aptcc backend in PackageKit saves the changelog to a predictable location in /tmp. As packagekitd is running as root, bad people could just add a symlink named like the file in /tmp (e.g. to /etc/shadow) to screw up the system.
I fixed this in Debian already, you might want to take the patch (02_aptcc-changelog-random-dir.patch) from there and apply it to Precise, if possible.
For Quantal, please merge/sync packagekit 0.7.4-4 from Debian Sid, which contains the patch and some other improvements.
Cheers,
Matthias |
Hi!
The Aptcc backend in PackageKit saves the changelog to a predictable location in /tmp. As packagekitd is running as root, bad people could just add a symlink named like the file in /tmp (e.g. to /etc/shadow) to screw up the system.
I fixed this in Debian already, you might want to take the patch (02_aptcc-changelog-random-dir.patch) from there and apply it to Precise, if possible.
For Quantal, please merge/sync packagekit 0.7.4-4 from Debian Sid, which contains the patch and some other improvements.
Cheers,
Matthias
UPDATE: The same also applies for our Debconf handling. While the changelog-issue is fixed, this issue is still valid for debconf sockets.
I therefore reopened this bug on Quantal and linked the Debian issue, which will be fixed soon. |
|
| 2012-06-22 21:44:24 |
Matthias Klumpp |
packagekit (Ubuntu Quantal): status |
Fix Released |
Triaged |
|
| 2012-06-22 21:44:56 |
Matthias Klumpp |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678189 |
|
| 2012-06-22 21:44:56 |
Matthias Klumpp |
bug task added |
|
packagekit (Debian) |
|
| 2012-06-22 22:28:33 |
Bug Watch Updater |
packagekit (Debian): status |
Unknown |
New |
|
| 2012-08-22 19:42:11 |
Bug Watch Updater |
packagekit (Debian): status |
New |
Fix Released |
|
| 2012-09-10 07:15:19 |
Matthias Klumpp |
packagekit (Ubuntu Quantal): status |
Triaged |
Fix Released |
|
| 2012-11-02 11:47:42 |
Jamie Strandboge |
packagekit (Ubuntu Natty): status |
Triaged |
Won't Fix |
|
| 2013-05-21 15:41:53 |
Jamie Strandboge |
packagekit (Ubuntu Oneiric): status |
Triaged |
Won't Fix |
|
| 2015-06-17 11:30:02 |
Rolf Leggewie |
packagekit (Ubuntu Lucid): status |
Triaged |
Won't Fix |
|
| 2021-10-14 01:32:43 |
Steve Langasek |
packagekit (Ubuntu Precise): status |
Triaged |
Won't Fix |
|
