persistent MitM can truncate list of files passed as script command line arguments

Bug #979426 reported by Kees Cook on 2012-04-11
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-notifier (Ubuntu)
Medium
Unassigned

Bug Description

This is a currently useless vulnerability from what I can see, but if someone is able to MitM an Ubuntu system for 3 days when running /usr/lib/update-notifier/package-data-downloader, it will be possible to remove files from the "script" command line:

def record_failure(hook):
        """Record that the named hook has failed"""
        if hook_aged_out(hook):
                permanent_failures.append(hook)
        else:
                failures.append(hook)

...

                                        for i in range(len(files)):
                                                print files[i]
                                                dest_file = urllib.urlretrieve(files[i])[0]
                                                output = subprocess.check_output(["sha256sum", dest_file])
                                                output = output.split(' ')[0]
                                                if output == sums[i]:
                                                        command.append(dest_file)
                                                else:
                                                        record_failure(relfile)
                                                        break
                                        if relfile in failures:
                                                break

                                        result = subprocess.call(command)

If a file fails sha256 sums for 3 days, it will trigger "hook_aged_out", which means it will _not_ be added to the "failures" global, so the "if relfile in failures" test will fail, allowing the command to execute with only the subset of non-failed files, which does not seem to be the intended behavior.

Currently both users of this feature (flashplugin-installer, ttf-mscorefonts-installer) seem to fail gracefully when lacking expected command line arguments. Regardless, this code should be fixed before more users come along and depend on the order of files, etc.

Additionally it would be nice if sys.stdout.flush() was called before subprocess runs so that my cron email makes sense instead of freaking me out as badly next time:

/etc/cron.daily/update-notifier-common:
Installing from local file /tmp/tmp_Vt6St.gz
Flash Plugin installed.
http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_11.2.202.228.orig.tar.gz

Kees Cook (kees) on 2012-04-11
visibility: private → public
summary: - persistent MitM can remove files from script command line arguments
+ persistent MitM can truncate list of files passed as script command line
+ arguments
Kees Cook (kees) wrote :

(Unrelated: to be "purge" safe, /etc/cron.daily/update-notifier-common should test for /usr/lib/update-notifier/package-data-downloader before executing it.)

Steve Langasek (vorlon) on 2012-04-13
Changed in update-notifier (Ubuntu):
importance: Undecided → Medium
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-notifier - 0.119ubuntu7

---------------
update-notifier (0.119ubuntu7) precise; urgency=low

  * Use <proto>_proxy environment variables to choose the proxy to use for
    data downloads, not the apt proxy settings, because apt may be
    configured to point at a package-specific proxy. This makes proxy
    configuration a little less convenient than before for the
    flashplugin-installer package, but it at least it makes it possible to
    have a different proxy setting for packages vs. arbitrary data
    downloads, which otherwise we don't have any way to support.
    LP: #979477.
  * Stop processing after a fatal download error, not just a transient one,
    so that we can't be tricked into feeding a partial list of files to a
    handler. Thanks to Kees Cook for spotting the bug. LP: #979426.
  * Flush stdout before calling subprocess, so that log output makes more
    sense.
  * Print a more meaningful status message when downloading, instead of just
    a bare URL.
  * Check for existence of /usr/lib/update-notifier/package-data-downloader
    before trying to run it from our cron job, so that the package doesn't
    generate error messages when removed but not purged.
  * The action for our notification should call gksu instead of trying to
    run the command directly without root access. This is imperfect because
    kubuntu won't have gksudo available by default, but it's an improvement
    over failing for everybody. LP: #976761.
 -- Steve Langasek <email address hidden> Fri, 13 Apr 2012 03:49:10 +0000

Changed in update-notifier (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers