Ubuntu

Security issue in PackageKit

Reported by Matthias Klumpp on 2012-06-02
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
packagekit (Debian)
Fix Released
Unknown
packagekit (Ubuntu)
Low
Unassigned
Lucid
Medium
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned

Bug Description

Hi!
The Aptcc backend in PackageKit saves the changelog to a predictable location in /tmp. As packagekitd is running as root, bad people could just add a symlink named like the file in /tmp (e.g. to /etc/shadow) to screw up the system.
I fixed this in Debian already, you might want to take the patch (02_aptcc-changelog-random-dir.patch) from there and apply it to Precise, if possible.
For Quantal, please merge/sync packagekit 0.7.4-4 from Debian Sid, which contains the patch and some other improvements.
Cheers,
   Matthias

UPDATE: The same also applies for our Debconf handling. While the changelog-issue is fixed, this issue is still valid for debconf sockets.
I therefore reopened this bug on Quantal and linked the Debian issue, which will be fixed soon.

Jamie Strandboge (jdstrand) wrote :

Thanks for your report!

Ubuntu has symlink restrictions enabled via Yama which should mitigate this problem on Ubuntu 11.04 and later (but we should still fix it). I see Quantal already has 0.7.4-4ubuntu2. Did Debian assign a CVE for it?

Changed in packagekit (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Changed in packagekit (Ubuntu Natty):
status: New → Triaged
importance: Undecided → Low
Changed in packagekit (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Low
Changed in packagekit (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Low
Changed in packagekit (Ubuntu Quantal):
importance: High → Low
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

Since this is already public via the Debian upload, marking this public.

visibility: private → public
Matthias Klumpp (ximion) wrote :

No, there is no CVE yet - I don't know how to create one :P
This issue is unfortunately also present in our implementation of Debconf and will also need to be fixed there. (work is in progress)
Thanks!

Matthias Klumpp (ximion) on 2012-06-22
description: updated
Changed in packagekit (Ubuntu Quantal):
status: Fix Released → Triaged
Changed in packagekit (Debian):
status: Unknown → New
Changed in packagekit (Debian):
status: New → Fix Released
Matthias Klumpp (ximion) wrote :

Depends on someone fixing bug #1040086 (Sync packagekit from Debian) now.

Matthias Klumpp (ximion) on 2012-09-10
Changed in packagekit (Ubuntu Quantal):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in packagekit (Ubuntu Natty):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in packagekit (Ubuntu Oneiric):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.