apt-listchanges causes update-manager to appear to hang

Bug #995195 reported by Malcolm Scott on 2012-05-05
394
This bug affects 32 people
Affects Status Importance Assigned to Milestone
apt-listchanges (Ubuntu)
Undecided
Unassigned
update-manager (Ubuntu)
High
Unassigned

Bug Description

If apt-listchanges is configured to show package changelogs, update-manager displays them in 'less' in a hidden terminal which waits for the user to quit and continue. There is no indication in update-manager that something off-screen is waiting for input. The only status message reads "Applying changes".

To continue, the user must click 'Details' then interact with apt-listchanges in the terminal.

Screenshots attached.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: update-manager 1:0.156.14.1
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Sat May 5 18:51:55 2012
GsettingsChanges:
 com.ubuntu.update-manager check-new-release-ignore 'oneiric'
 com.ubuntu.update-manager first-run false
 com.ubuntu.update-manager launch-time 1336240007
 com.ubuntu.update-manager window-height 600
 com.ubuntu.update-manager window-width 600
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: Upgraded to precise on 2012-05-03 (2 days ago)

Malcolm Scott (malcscott) wrote :
Changed in update-manager (Ubuntu):
status: New → Triaged
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt-listchanges (Ubuntu):
status: New → Confirmed
Colan Schwartz (colan) wrote :

Also, now, I can't even click on "Details". When I do, nothing happens. No terminal opens.

Malcolm Scott (malcscott) wrote :

Colan: that's a different bug; please file a separate report.

Neal McBurnett (nealmcb) wrote :

Bug #787802 is the same bug, reported for Ubuntu 11.04 on the package apt-listchanges. One of these should presumably be a duplicate of the other.
According to that bug report, the synaptic tool handles this correctly, so presumably a similar approach could be used in update manager.

Lars Düsing (lars.duesing) wrote :

best solution would be: let apt-listchanges test if there is a terminal or not.
Should apt-listchanges added to this bug-report?

Richard Hansen (rhansen) wrote :

Marking as a security vulnerability: As noted in <https://bugs.launchpad.net/ubuntu/+source/apt-listchanges/+bug/787802/comments/9>, it's possible to get to a root shell from 'less' (the pager invoked by apt-listchanges). While 'less' is displaying the list of changes, type '!sh' (without the quotes) and hit enter. This allows a user that is authorized to do the org.debian.apt.upgrade-packages policykit action to invoke arbitrary commands as root.

Note that users are not required to type a password to run the org.debian.apt.upgrade-packages action (see <https://wiki.ubuntu.com/SecurityTeam/FAQ#Update_Manager_doesn.27t_prompt_for_security_updates>). This makes it possible for malware running as the authorized user to gain root access without knowing the password.

security vulnerability: no → yes
Malcolm Scott (malcscott) wrote :

Whilst that does sound problematic, surely that is a separate issue entirely? This bug is about the update manager hiding apt-listchanges; your bug seems to imply that apt-listchanges shouldn't use less without some restrictions in place.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers