No authentication check if DPkg::Options::", "--force-confold" is set in apt conf

Bug #1466380 reported by Michael Vogt on 2015-06-18
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unattended-upgrades (Ubuntu)
Critical
Unassigned
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers
Vivid
Undecided
Marc Deslauriers
Wily
Critical
Unassigned

Bug Description

While doing code inspection I noticed that under certain circumstances unattended-upgrades will not perform a authentication check for the package it downloads. The trust for packages is checked in line 1242 of the code, but that code only gets executed if dpkg_conffile_prompt() returns True.

Attached is a patch against master with a fix and a test. This needs to be coordinated with debian and added to all our releases. I will prepare debdiffs.

CVE References

Michael Vogt (mvo) wrote :
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1330

Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Changed in unattended-upgrades (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
Marc Deslauriers (mdeslaur) wrote :

CRD is 2015-06-29 17:00:00 UTC

Changed in unattended-upgrades (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unattended-upgrades (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unattended-upgrades (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unattended-upgrades (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unattended-upgrades (Ubuntu Precise):
status: New → Confirmed
Changed in unattended-upgrades (Ubuntu Trusty):
status: New → Confirmed
Changed in unattended-upgrades (Ubuntu Utopic):
status: New → Confirmed
Changed in unattended-upgrades (Ubuntu Vivid):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

These debdiffs FTBFS from new test suite failures:

======================================================================
ERROR: test_blacklist (__main__.TestOriginPatern)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test_origin_pattern.py", line 115, in test_blacklist
    check_changes_for_sanity(cache, allowed_origins, blacklist, [".*"]))
  File "/«PKGBUILDDIR»/test/unattended_upgrade.py", line 532, in check_changes_for_sanity
    if not any([o.trusted for o in pkg.candidate.origins]):
  File "/«PKGBUILDDIR»/test/unattended_upgrade.py", line 532, in <listcomp>
    if not any([o.trusted for o in pkg.candidate.origins]):
AttributeError: 'MockOrigin' object has no attribute 'trusted'

======================================================================
ERROR: test_whitelist_with_strict_whitelisting (__main__.TestOriginPatern)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test_origin_pattern.py", line 135, in test_whitelist_with_strict_whitelisting
    check_changes_for_sanity(cache, allowed_origins, [], whitelist))
  File "/«PKGBUILDDIR»/test/unattended_upgrade.py", line 532, in check_changes_for_sanity
    if not any([o.trusted for o in pkg.candidate.origins]):
  File "/«PKGBUILDDIR»/test/unattended_upgrade.py", line 532, in <listcomp>
    if not any([o.trusted for o in pkg.candidate.origins]):
AttributeError: 'MockOrigin' object has no attribute 'trusted'

Marc Deslauriers (mdeslaur) wrote :

Test cases fixed with:

diff -Nru unattended-upgrades-0.83.6/test/test_origin_pattern.py unattended-upgrades-0.83.6ubuntu1/test/test_origin_pattern.py
--- unattended-upgrades-0.83.6/test/test_origin_pattern.py 2015-03-05 11:36:33.000000000 -0500
+++ unattended-upgrades-0.83.6ubuntu1/test/test_origin_pattern.py 2015-06-22 08:45:40.000000000 -0400
@@ -15,7 +15,7 @@

 class MockOrigin():
- pass
+ trusted = True

 class MockCandidate():

Michael Vogt (mvo) wrote :

Thanks Marc! Sorry for the missing line in the test. The one I send by mail had it but it seems like I forgot to add the updated version here. My apologizes.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.82.1ubuntu2.3

---------------
unattended-upgrades (0.82.1ubuntu2.3) trusty-security; urgency=medium

  * fix missing package authentication check for apt
     configurations that force-{confold,confnew} (CVE-2015-1330)
     LP: #1466380

 -- Michael Vogt <email address hidden> Fri, 19 Jun 2015 11:32:36 +0200

Changed in unattended-upgrades (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.82.8ubuntu0.3

---------------
unattended-upgrades (0.82.8ubuntu0.3) utopic-security; urgency=medium

  * fix missing package authentication check for apt
     configurations that force-{confold,confnew} (CVE-2015-1330)
     LP: #1466380

 -- Michael Vogt <email address hidden> Fri, 19 Jun 2015 11:38:24 +0200

Changed in unattended-upgrades (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.76ubuntu1.1

---------------
unattended-upgrades (0.76ubuntu1.1) precise-security; urgency=medium

  * fix missing package authentication check for apt
     configurations that force-{confold,confnew} (CVE-2015-1330)
     LP: #1466380

 -- Michael Vogt <email address hidden> Fri, 19 Jun 2015 11:12:10 +0200

Changed in unattended-upgrades (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.83.6ubuntu1

---------------
unattended-upgrades (0.83.6ubuntu1) vivid-security; urgency=medium

  * fix missing package authentication check for apt
    configurations that force-{confold,confnew} (CVE-2015-1330)
    LP: #1466380

 -- Michael Vogt <email address hidden> Fri, 19 Jun 2015 15:00:24 +0200

Changed in unattended-upgrades (Ubuntu Vivid):
status: Confirmed → Fix Released
information type: Private Security → Public Security
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.86.1

---------------
unattended-upgrades (0.86.1) unstable; urgency=medium

  * fix missing package authentication check for apt
     configurations that force-{confold,confnew} (CVE-2015-1330)
     LP: #1466380

 -- Michael Vogt <email address hidden> Mon, 29 Jun 2015 19:28:06 +0200

Changed in unattended-upgrades (Ubuntu Wily):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers