software-properties-gtk hangs indefinitely if a single source server is down

Bug #1904775 reported by rud
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
New
Undecided
Unassigned

Bug Description

Since this prevents non-technical users from installing critical security updates and does not give them any useful information, I consider it a security issue.

A single repository server is down and a bug in software-properties-gtk will prevent non-technical users to continue installing security updates.

Example:
The Darktable repository is currently offline:
https://software.opensuse.org/download.html?project=graphics:darktable:stable&package=darktable
Running sudo apt update clearly shows that one repository is offline.

When I open Software Sources app (software-properties-gtk) and it starts to “Refresh Software Cache”, I expect the following:

- software sources are being refreshed.
- this might take a little longer than normal.
- it throws an error and returns to the main screen.
- the user can continue normally.
In short: it should cope with a server being down.

The actual behaviour:
- refreshing takes forever.
- Ubuntu throws an error saying it hit an error, asking to send the report about software-properties.
- I have to manually force close the loading screen.
- I can close the main window of software-properties.
- when I launch "Software Sources" again, I get an empty square window.

This should not happen when a server happens to be down.

Running sudo apt update clearly shows that one repository is offline.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: software-properties-gtk 0.98.9.3
ProcVersionSignature: Ubuntu 5.4.0-54.60-generic 5.4.65
Uname: Linux 5.4.0-54-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.12
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: Budgie:GNOME
Date: Wed Nov 18 19:59:49 2020
InstallationDate: Installed on 2020-11-18 (0 days ago)
InstallationMedia: Ubuntu-Budgie 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
PackageArchitecture: all
SourcePackage: software-properties
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
rud (jazco) wrote :
Revision history for this message
Avital Ostromich (avital) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Revision history for this message
Sebastien Bacher (seb128) wrote :

How does it prevent users to install security updates? Those are automatically downloaded and applied in background by unattendeed-upgrade. Also software-properties is used to configure sources, not to apply updates, is your issue also impacting update manager?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.