Blacklisted packages are included in the "upgradable origin", while they should not

Bug #1781176 reported by Balint Reczey on 2018-07-11
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unattended-upgrades
Fix Released
Unknown
unattended-upgrades (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Balint Reczey

Bug Description

[Impact]

 * Reports from u-u incorrectly list packages from non-upgradable origins as "Packages with upgradable origin but kept back"

 * Listing the packages incorrectly is a result of is_pkgname_in_blacklist() having a side effect and removing the side effect is part of fixing LP: #1396787 which fix is also being SRU-d.

 * The fix is removing the side effect of is_pkgname_in_blacklist()

[Test Case]

 * There is a build-time test in test/test_blacklisted_wrong_origin.py
 * To reproduce the original problem set up a system where all security updates are installed but ebtables (from bionic-updates) is not updated:
$ sudo unattended-upgrade --verbose
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
No packages found that can be upgraded unattended and no pending auto-removals
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  apt apt-utils ebtables initramfs-tools initramfs-tools-bin initramfs-tools-core libapt-inst2.0 libapt-pkg5.0
  liblxc-common liblxc1 libpython3-stdlib lxcfs lxd lxd-client netplan.io networkd-dispatcher nplan
  python-apt-common python3 python3-apt python3-minimal python3-update-manager snapd squashfs-tools
  unattended-upgrades update-manager-core update-notifier-common
27 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.1 MB of archives.
After this operation, 1454 kB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.

* blacklist ebtables, set up emails from u-u, then run u-u again:
$ sudo echo 'Unattended-Upgrade::Package-Blacklist {"ebtables";};' > /etc/apt/apt.conf.d/51unattended-upgrades-blacklist-ebtables
$ sudo echo 'Unattended-Upgrade::Mail "root";' > /etc/apt/apt.conf.d/51unattended-upgrades-mail
$ sudo unattended-upgrade --verbose
Initial blacklisted packages: ebtables
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
Packages that will be upgraded:

* Observe ebtables listed as being kept back and having upgradable origin with buggy u-u:
$ sudo cat /var/mail/mail
...
Packages with upgradable origin but kept back:
 ebtables=20
...

* Upgrade u-u to a fixed version and run it, observing ebtables to be not listed as having upgradable origin

[Regression Potential]

 * Regressions may make packages incorrectly missing from u-u's report, but the autopkgtests also cover that to some extent.

[Other Info]

 * Original report: https://github.com/mvo5/unattended-upgrades/issues/116

Changed in unattended-upgrades:
status: Unknown → Fix Released
Łukasz Zemczak (sil2100) wrote :

Looks like fixed in 1.4.

Changed in unattended-upgrades (Ubuntu):
status: New → Fix Released
Changed in unattended-upgrades (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic

Hello Balint, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Balint, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Balint Reczey (rbalint) on 2018-07-18
description: updated
Balint Reczey (rbalint) on 2018-07-18
tags: added: verification-failed verification-failed-bionic
removed: verification-needed verification-needed-bionic
Balint Reczey (rbalint) on 2018-07-19
Changed in unattended-upgrades (Ubuntu Bionic):
status: Fix Committed → In Progress
assignee: nobody → Balint Reczey (rbalint)
description: updated
Balint Reczey (rbalint) wrote :

I tested 1.1ubuntu1.18.04.4 and found the problem not fixed here. The problem was fixed in u-u 1.3 but changes in 1.4 made the original fix incomplete.
The side-effect of is_pkgname_in_blacklist() is still removed, but assumptions broke at the place where the function is called and as a result the content of u-u's email is the same, listing blacklisted packages like they would have allowed origins.

I submitted a fix for the current code in https://github.com/mvo5/unattended-upgrades/pull/137.

Balint Reczey (rbalint) on 2018-07-19
Changed in unattended-upgrades (Ubuntu):
status: Fix Released → In Progress
Łukasz Zemczak (sil2100) wrote :

After a quick discussion with Balint, seeing that this is an incomplete fix but without any reverse effects and introducing no regressions, I have decided to release this version as-is without the need of removal of the changes. Please re-open the bug after the package lands in -updates and fix it properly with the next upload.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.4

---------------
unattended-upgrades (1.1ubuntu1.18.04.4) bionic; urgency=medium

  * Redirect stderr output in upgrade-between-snapshots, too, otherwise it
    breaks the test sometimes (LP: #1781446)

unattended-upgrades (1.1ubuntu1.18.04.3) bionic; urgency=medium

  * Redirect stderr output in upgrade-all-security, otherwise it breaks the
    test (LP: #1781446)

unattended-upgrades (1.1ubuntu1.18.04.2) bionic; urgency=medium

  [ Balint Reczey ]
  * Clear cache when autoremoval is invalid for a package set marked for
    removal and clear cache after failed commits to return from a possibly
    invalid state (LP: #1779157)
  * Don't start or gracefully stop upgrade on battery (LP: #1773033)
  * Skip updates on metered connections (Closes: #855570) (LP: #1781183)
  * Add debian/tests/upgrade-all-security to install all current security updates.
    On development releases this tests latest stable, on stable releases it tests
    the release itself.
  * Speed up unattended-upgrade (Closes: #892028, #899366) (LP: #1396787)
    - Adjust candidates only for packages to be possibly installed
    - Filter out packages cheaper when they are not from allowed origins
    - Collect autoremovable packages, too, when looking for upgradable ones
    - Measure time of running with --dry-run in autopkgtests
  * Skip starting init.d script in debhelper-generated postinst part
    (LP: #1778800)

  [ Ivan Kurnosov ]
  * Fixed is_pkgname_in_blacklist to be side-effect free. (LP: #1781176)
    Otherwise 'is_pkgname_in_blacklist' mutates the 'pkgs_kept_back' and
    'unattended-upgrades' treats the package as a blacklisted candidate

 -- Balint Reczey <email address hidden> Fri, 13 Jul 2018 10:36:23 +0200

Changed in unattended-upgrades (Ubuntu Bionic):
status: In Progress → Fix Released

The verification of the Stable Release Update for unattended-upgrades has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.5ubuntu2

---------------
unattended-upgrades (1.5ubuntu2) cosmic; urgency=medium

  * Reopen Cache after commit() even when frontend locking is supported.
    This fixes build and operation with latest python-apt.

 -- Balint Reczey <email address hidden> Tue, 28 Aug 2018 15:46:25 +0200

Changed in unattended-upgrades (Ubuntu):
status: In Progress → Fix Released

Hello Balint, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-failed
Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.