Update manager calls gksu instead of /usr/bin/gksu

Bug #194166 reported by Mihai Varzaru on 2008-02-21
256
Affects Status Importance Assigned to Milestone
Software Updater
Fix Released
Undecided
James Westby
update-manager (Ubuntu)
Undecided
Michael Vogt

Bug Description

Binary package hint: update-manager

gksu is called without giving the full path. An application that has normal user rights could use this for an elevation of privilege by modifying the PATH variable. After it modifies the PATH variable to point to a location where it holds a custom gksu script it has just to wait for the the next Ubuntu update in order to run with root privileges.

The code for this is in UpdateManager.py, run_synaptic function, line 697 on version 0.81.2:
cmd = ["gksu", "--desktop", "/usr/share/applications/update-manager.desktop",

Found in:
  Ubuntu 7.10
  Package: update-manager v. 0.81.2

It is also present in Ubuntu Hardy, update-manager v. 0.87.9. It seems that the problem was introduces in Ubuntu Edgy, update manager v. 0.45.

Mihai Varzaru (mihaiv) wrote :
Mihai Varzaru (mihaiv) on 2008-02-24
description: updated
James Westby (james-w) wrote :

Hi,

Attached is a patch to fix this issue.

I could not see any more vulnerable calls to gksu.
However, I could not find any kdesu calls to audit.

Thanks,

James

Changed in update-manager:
assignee: nobody → james-w
status: New → In Progress
Michael Vogt (mvo) on 2008-03-10
Changed in update-manager:
assignee: nobody → mvo
status: New → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.87.11

---------------
update-manager (1:0.87.11) hardy; urgency=low

  * DistUpgrade/DistUpgradeControler.py:
    - when upgrading without network and with a empty sources.list,
      do not ask to add network sources
  * DistUpgrade/DistUpgradeCache.py:
    - do not crash if lookupRecords() failed (LP: #199482)
  * UpdateManager/UpdateManager.py:
    - use absolute path when calling gksu (LP: #194166),
      Thanks to Mihai Varzaru and James Westby
  * data/update-manager.desktop.in:
    - improve consistency with the rest of gnome (LP: #150205)
  * DistUpgrade/DistUpgradeViewKDE.py:
    - do no longer use konsole during upgrades but use a dumb
      terminal instead that only supports basic editing
    - log terminal activity to /var/log/dist-upgrade/term.log

 -- Michael Vogt <email address hidden> Tue, 11 Mar 2008 09:40:49 +0100

Changed in update-manager:
status: Fix Committed → Fix Released
Kees Cook (kees) on 2009-01-10
Changed in update-manager:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers