Ubuntu
python-apt package

python-apt downloads from untrusted sources where apt does not

Bug #1858973 reported by Seth Arnold
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Fix Released
Undecided
Unassigned
python-apt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

ptyhon-apt never checked whether the hashes it got were signed in the first place. So, python-apt is happy to download files from unsigned repositories when it shouldn't.

Making the code only fetch trusted packages means that using it on untrusted packages will fail. There might be use cases broken by this.

See original description

CVE References

Revision history for this message
Julian Andres Klode (juliank) wrote :

The attached patch needs to be applied to all aptdaemons and their versions bumped to match the Breaks added in bug #1858972.

Patches for python-apt can be found in that bug.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Somebody should also check that the aptdaemon patch actually works. I only ran the test suite and it passed, but you might want to

rm /var/lib/apt/lists/*Release*
aptdcon --install hello

and see that it still works correctly after asking for auth.

Revision history for this message
Julian Andres Klode (juliank) wrote :

I can also run such checks tomorrow, but I'm out of time for today :/

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu28.1

---------------
aptdaemon (1.1.1+bzr982-0ubuntu28.1) eoan-security; urgency=medium

  * Fix compatibility with python-apt security update (LP: #1858973)

 -- Marc Deslauriers <email address hidden> Wed, 15 Jan 2020 14:34:01 -0500

Changed in aptdaemon (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu14.2

---------------
aptdaemon (1.1.1+bzr982-0ubuntu14.2) xenial-security; urgency=medium

  * Fix compatibility with python-apt security update (LP: #1858973)

 -- Marc Deslauriers <email address hidden> Wed, 15 Jan 2020 14:37:59 -0500

Changed in aptdaemon (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu19.2

---------------
aptdaemon (1.1.1+bzr982-0ubuntu19.2) bionic-security; urgency=medium

  * Fix compatibility with python-apt security update (LP: #1858973)

 -- Marc Deslauriers <email address hidden> Wed, 15 Jan 2020 14:37:27 -0500

Changed in aptdaemon (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.9.0ubuntu1.2

---------------
python-apt (1.9.0ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 16:35:02 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie)
summary: - placeholder
+ python-apt downloads from untrusted sources where apt does not
description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.