Ubuntu
update-manager package

captive web portal corrupt Indexes

Bug #1055614 reported by Bryan on 2012-09-24

This bug report is a duplicate of: Bug #756317: Captive portals may corrupt apt translation indices. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	update-manager (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

When the computer is connected to a captive web portal, the update manager does not check to see that files downloaded are valid indexes. This results in the web portal's html file being written over some or all of the files in /var/lib/apt/lists. I have been able to remove the corrupted files (assuming if they are that easy to overwrite, then blowing them away will be OK too) with the following command:

cd /var/lib/apt/lists
for foo in `grep -r weblogin.jsp .|cut -f 1 -d ':'`; do sudo rm -f $foo; done

This is not something a new user could be expected to do. I don't know if the behavior has changed recently, but this is the second time I have run into this bug in the last month.

This results in complete breakage of the update system stops all updating until it is fixed. The user does get a little red error icon with an relatively opaque error message which was how I knew to look in the /var/lib/apt/lists directory.

This prevents all security updates so I have flagged it as a security vulnerability.

1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
bryan@bryan-Aspire-V3-771:~/temp$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
bryan@bryan-Aspire-V3-771:~/temp$ apt-cache policy update-manager
update-manager:
  Installed: 1:0.156.14.9
  Candidate: 1:0.156.14.9
  Version table:
*** 1:0.156.14.9 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:0.156.14.5 0
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     1:0.156.14 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

3) What you expected to happen
/var/lib/apt/lists should not get corrupted when the computer is on a captive portal before login.

4) What happened instead
/var/lib/apt/lists does get corrupted in a way that has no (obvious to a normal user) fix.

Tags:

Revision history for this message

Bryan (brywilharris) wrote on 2012-09-24:

The word "weblogin.jsp" was specific to the captive portal that overwrote my indexes, but may not work on other captive portals. The last time I think I used an html tag such as <\body> as the search term:

for foo in `grep -r "<\body>" .|cut -f 1 -d ':'`; do sudo rm -f $foo; done

security vulnerability:	yes → no
visibility:	private → public

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-09-24:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in update-manager (Ubuntu):
status:	New → Confirmed

Revision history for this message

Paul F (boxjunk) wrote on 2012-09-25:

Example corrupted package list file from /var/lib/apt/lists Edit (6.7 KiB, text/html)

Still present in 12.04 LTS, Precise running apt 0.8.16

In my case the corrupted package list files in /var/lib/apt/lists are caused by the router redirecting to an internal help page when it realises that its internet connection is down. So, when a fetch is attempted from, say gb.archive.ubuntu.com/ubuntu/dists/precise-updates/universe/binary-i386/Packages when checking for updates what comes back is the html source from the router's help page (example attached -- line 52 contains the requested url).

It would appear that no sanity check is done on the returned data leaving subsequent parse attempts to choke. The corrupted files remain and may propagate (???) causing other update failures.

On a security note, it occurs to me that an attacker in control of the router could return crafted files in place of apt's package lists to introduce malware as part of the normal automated update process. I trust checks are in place to prevent this???

Revision history for this message

Paul F (boxjunk) wrote on 2012-09-25:

See also Bug #756317, Bug #1001209, Bug #1034834

Revision history for this message

Paul F (boxjunk) wrote on 2012-09-25:

See also Bug #1055614

Revision history for this message

Bryan (brywilharris) wrote on 2012-09-26: Re: [Bug 1055614] Re: captive web portal corrupt Indexes

I have pointed this out privately.

brywilharris (at) gmail (dot) com
On Sep 25, 2012 11:25 AM, "Paul F" <email address hidden> wrote:

> See also Bug #756317, Bug #1001209, Bug #1034834
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1055614
>
> Title:
> captive web portal corrupt Indexes
>
> Status in “update-manager” package in Ubuntu:
> Confirmed
>
> Bug description:
> When the computer is connected to a captive web portal, the update
> manager does not check to see that files downloaded are valid indexes.
> This results in the web portal's html file being written over some or
> all of the files in /var/lib/apt/lists. I have been able to remove
> the corrupted files (assuming if they are that easy to overwrite, then
> blowing them away will be OK too) with the following command:
>
> cd /var/lib/apt/lists
> for foo in `grep -r weblogin.jsp .|cut -f 1 -d ':'`; do sudo rm -f $foo;
> done
>
> This is not something a new user could be expected to do. I don't
> know if the behavior has changed recently, but this is the second time
> I have run into this bug in the last month.
>
> This results in complete breakage of the update system stops all
> updating until it is fixed. The user does get a little red error icon
> with an relatively opaque error message which was how I knew to look
> in the /var/lib/apt/lists directory.
>
> This prevents all security updates so I have flagged it as a security
> vulnerability.
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
> -> About Ubuntu
> bryan@bryan-Aspire-V3-771:~/temp$ lsb_release -rd
> Description: Ubuntu 12.04.1 LTS
> Release: 12.04
>
> 2) The version of the package you are using, via 'apt-cache policy
> pkgname' or by checking in Software Center
> bryan@bryan-Aspire-V3-771:~/temp$ apt-cache policy update-manager
> update-manager:
> Installed: 1:0.156.14.9
> Candidate: 1:0.156.14.9
> Version table:
> *** 1:0.156.14.9 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main
> amd64 Packages
> 100 /var/lib/dpkg/status
> 1:0.156.14.5 0
> 500 http://security.ubuntu.com/ubuntu/ precise-security/main
> amd64 Packages
> 1:0.156.14 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64
> Packages
>
> 3) What you expected to happen
> /var/lib/apt/lists should not get corrupted when the computer is on a
> captive portal before login.
>
> 4) What happened instead
> /var/lib/apt/lists does get corrupted in a way that has no (obvious to a
> normal user) fix.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1055614/+subscriptions
>

I have pointed this out privately.

brywilharris (at) gmail (dot) com
On Sep 25, 2012 11:25 AM, "Paul F" <boxjunk@hotmail.co.uk> wrote:

> See also Bug #756317, Bug #1001209, Bug #1034834
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1055614
>
> Title:
>   captive web portal corrupt Indexes
>
> Status in “update-manager” package in Ubuntu:
>   Confirmed
>
> Bug description:
>   When the computer is connected to a captive web portal, the update
>   manager does not check to see that files downloaded are valid indexes.
>   This results in the web portal's html file being written over some or
>   all of the files in /var/lib/apt/lists.  I have been able to remove
>   the corrupted files (assuming if they are that easy to overwrite, then
>   blowing them away will be OK too) with the following command:
>
>   cd /var/lib/apt/lists
>   for foo in `grep -r weblogin.jsp .|cut -f 1 -d ':'`; do sudo rm -f $foo;
> done
>
>   This is not something a new user could be expected to do.   I don't
>   know if the behavior has changed recently, but this is the second time
>   I have run into this bug in the last month.
>
>   This results in complete breakage of the update system stops all
>   updating until it is fixed.  The user does get a little red error icon
>   with an relatively opaque error message which was how I knew to look
>   in the /var/lib/apt/lists directory.
>
>   This prevents all security updates so I have flagged it as a security
>   vulnerability.
>
>   1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
> -> About Ubuntu
>   bryan@bryan-Aspire-V3-771:~/temp$ lsb_release -rd
>   Description:  Ubuntu 12.04.1 LTS
>   Release:      12.04
>
>   2) The version of the package you are using, via 'apt-cache policy
> pkgname' or by checking in Software Center
>   bryan@bryan-Aspire-V3-771:~/temp$ apt-cache policy update-manager
>   update-manager:
>     Installed: 1:0.156.14.9
>     Candidate: 1:0.156.14.9
>     Version table:
>    *** 1:0.156.14.9 0
>           500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main
> amd64 Packages
>           100 /var/lib/dpkg/status
>        1:0.156.14.5 0
>           500 http://security.ubuntu.com/ubuntu/ precise-security/main
> amd64 Packages
>        1:0.156.14 0
>           500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64
> Packages
>
>   3) What you expected to happen
>   /var/lib/apt/lists should not get corrupted when the computer is on a
> captive portal before login.
>
>   4) What happened instead
>   /var/lib/apt/lists does get corrupted in a way that has no (obvious to a
> normal user) fix.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1055614/+subscriptions
>