2023-06-16 14:48:47 |
Robie Basak |
bug |
|
|
added bug |
2023-06-16 14:49:58 |
Robie Basak |
description |
I'm basing this report on src:ubuntu-advantage-tools 27.14.4 in Lunar.
In uaclient/livepatch.py, state_files.livepatch_support_cache.write() via uaclient/files/state_files.py [livepatch_support_cache = DataObjectFile(directory=defaults.UAC_TMP_PATH)] via uaclients/defaults.py [UAC_TMP_PATH = "/tmp/ubuntu-advantage/"] writes to /tmp/ubuntu-advantage at a predictable path. It does rename the file in safely. An attacker could use a symlink attack to cause that to happen somewhere else though, I think? I don't see a clear path to a serious vulnerability, but I think it probably deserves a deeper look.
This code is going way in an upcoming update to this package. I noticed it while reviewing this code being removed. But depending on its actual severity it might be worth a USN, so I'm flagging it here. |
I'm basing this report on src:ubuntu-advantage-tools 27.14.4 in Lunar.
In uaclient/livepatch.py, state_files.livepatch_support_cache.write() via uaclient/files/state_files.py [livepatch_support_cache = DataObjectFile(directory=defaults.UAC_TMP_PATH)] via uaclients/defaults.py [UAC_TMP_PATH = "/tmp/ubuntu-advantage/"] writes to /tmp/ubuntu-advantage at a predictable path. It does rename the file in safely. An attacker could use a symlink attack to cause that to happen somewhere else though, I think? I don't see a clear path to a serious vulnerability, but I think it probably deserves a deeper look.
This code is going away in an upcoming update to this package. I noticed it while reviewing this code being removed. But depending on its actual severity it might be worth a USN, so I'm flagging it here. |
|
2023-06-16 16:54:59 |
Robie Basak |
bug |
|
|
added subscriber Grant Orndorff |
2023-06-16 17:14:51 |
Robie Basak |
bug |
|
|
added subscriber Renan Rodrigo |
2023-08-15 13:31:07 |
Grant Orndorff |
bug |
|
|
added subscriber Christian Ehrhardt |
2023-10-04 17:16:31 |
Renan Rodrigo |
bug |
|
|
added subscriber Lucas Albuquerque Medeiros de Moura |
2023-10-18 21:47:50 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
2023-10-30 18:18:18 |
Renan Rodrigo |
description |
I'm basing this report on src:ubuntu-advantage-tools 27.14.4 in Lunar.
In uaclient/livepatch.py, state_files.livepatch_support_cache.write() via uaclient/files/state_files.py [livepatch_support_cache = DataObjectFile(directory=defaults.UAC_TMP_PATH)] via uaclients/defaults.py [UAC_TMP_PATH = "/tmp/ubuntu-advantage/"] writes to /tmp/ubuntu-advantage at a predictable path. It does rename the file in safely. An attacker could use a symlink attack to cause that to happen somewhere else though, I think? I don't see a clear path to a serious vulnerability, but I think it probably deserves a deeper look.
This code is going away in an upcoming update to this package. I noticed it while reviewing this code being removed. But depending on its actual severity it might be worth a USN, so I'm flagging it here. |
[ Impact ]
Several race conditions were found in the u-a-t code, some where a file was being written in a hardcoded path in /tmp. This could leave way for attackers to insert malicious code in the client.
[ Test Plan ]
Functionality-wise, writing files is tested in the unit and integrations tests for ubuntu-advantage-tools, and should be covered in the verification of https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2038461
As for this specific bug, one can verify that the /tmp path does not exist anymore, and check the change in the code to see how the race condition was addressed.
[ Where problems could occur ]
The race conditions were addressed with try-except blocks in python, so it is low risk as any exploit would be against python itself. The other problematic parts of the code is removed/moved and functionality is covered by tests, so no problem there.
The risk we considered is that other flaws may be present and we may have not catched those as part of the discussions here. To mitigate that, we keep our tests up-to-date and try to improve code quality in each and every PR.
[ Original Description ]
I'm basing this report on src:ubuntu-advantage-tools 27.14.4 in Lunar.
In uaclient/livepatch.py, state_files.livepatch_support_cache.write() via uaclient/files/state_files.py [livepatch_support_cache = DataObjectFile(directory=defaults.UAC_TMP_PATH)] via uaclients/defaults.py [UAC_TMP_PATH = "/tmp/ubuntu-advantage/"] writes to /tmp/ubuntu-advantage at a predictable path. It does rename the file in safely. An attacker could use a symlink attack to cause that to happen somewhere else though, I think? I don't see a clear path to a serious vulnerability, but I think it probably deserves a deeper look.
This code is going away in an upcoming update to this package. I noticed it while reviewing this code being removed. But depending on its actual severity it might be worth a USN, so I'm flagging it here. |
|
2023-11-10 09:43:03 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Bryce Harrington |
2023-11-10 09:46:20 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Mantic): status |
New |
Fix Committed |
|
2023-11-10 09:46:20 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-11-10 09:46:22 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
2023-11-10 09:46:25 |
Andreas Hasenack |
tags |
|
verification-needed verification-needed-mantic |
|
2023-11-10 09:47:09 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Lunar): status |
New |
Fix Committed |
|
2023-11-10 09:47:13 |
Andreas Hasenack |
tags |
verification-needed verification-needed-mantic |
verification-needed verification-needed-lunar verification-needed-mantic |
|
2023-11-10 09:48:30 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Jammy): status |
New |
Fix Committed |
|
2023-11-10 09:48:35 |
Andreas Hasenack |
tags |
verification-needed verification-needed-lunar verification-needed-mantic |
verification-needed verification-needed-jammy verification-needed-lunar verification-needed-mantic |
|
2023-11-10 09:49:13 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Focal): status |
New |
Fix Committed |
|
2023-11-10 09:49:17 |
Andreas Hasenack |
tags |
verification-needed verification-needed-jammy verification-needed-lunar verification-needed-mantic |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-mantic |
|
2023-11-10 09:49:56 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Bionic): status |
New |
Fix Committed |
|
2023-11-10 09:49:59 |
Andreas Hasenack |
tags |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-mantic |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-mantic |
|
2023-11-10 09:52:12 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Xenial): status |
New |
Fix Committed |
|
2023-11-10 09:52:16 |
Andreas Hasenack |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-mantic |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-mantic verification-needed-xenial |
|
2023-11-15 01:29:56 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
New |
Fix Released |
|
2023-11-16 13:17:22 |
Andreas Hasenack |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-mantic verification-needed-xenial |
verification-done-jammy verification-done-lunar verification-done-mantic verification-done-xenial verification-needed verification-needed-bionic verification-needed-focal |
|
2023-11-16 13:17:35 |
Andreas Hasenack |
tags |
verification-done-jammy verification-done-lunar verification-done-mantic verification-done-xenial verification-needed verification-needed-bionic verification-needed-focal |
verification-done-bionic verification-done-focal verification-done-jammy verification-done-lunar verification-done-mantic verification-done-xenial verification-needed |
|
2023-11-16 16:43:15 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2023-11-16 16:43:26 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-11-16 16:43:47 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-11-16 16:44:05 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-11-16 16:44:22 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2023-11-16 16:45:16 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2024-01-08 12:20:01 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|