Security issue in PackageKit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
packagekit (Debian) |
Fix Released
|
Unknown
|
|||
packagekit (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
Natty |
Won't Fix
|
Low
|
Unassigned | ||
Oneiric |
Won't Fix
|
Low
|
Unassigned | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Quantal |
Fix Released
|
Low
|
Unassigned |
Bug Description
Hi!
The Aptcc backend in PackageKit saves the changelog to a predictable location in /tmp. As packagekitd is running as root, bad people could just add a symlink named like the file in /tmp (e.g. to /etc/shadow) to screw up the system.
I fixed this in Debian already, you might want to take the patch (02_aptcc-
For Quantal, please merge/sync packagekit 0.7.4-4 from Debian Sid, which contains the patch and some other improvements.
Cheers,
Matthias
UPDATE: The same also applies for our Debconf handling. While the changelog-issue is fixed, this issue is still valid for debconf sockets.
I therefore reopened this bug on Quantal and linked the Debian issue, which will be fixed soon.
description: | updated |
Changed in packagekit (Ubuntu Quantal): | |
status: | Fix Released → Triaged |
Changed in packagekit (Debian): | |
status: | Unknown → New |
Changed in packagekit (Debian): | |
status: | New → Fix Released |
Changed in packagekit (Ubuntu Quantal): | |
status: | Triaged → Fix Released |
Thanks for your report!
Ubuntu has symlink restrictions enabled via Yama which should mitigate this problem on Ubuntu 11.04 and later (but we should still fix it). I see Quantal already has 0.7.4-4ubuntu2. Did Debian assign a CVE for it?