Ubuntu

DistUpgradeViewKDE broken since last security update

Reported by Harald Sitter on 2012-02-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Critical
Marc Deslauriers
Hardy
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Marc Deslauriers
Natty
Undecided
Marc Deslauriers
Oneiric
Critical
Marc Deslauriers
Precise
Critical
Marc Deslauriers

Bug Description

copyXauth = tempfile.mkstemp("", "adept")
        if 'XAUTHORITY' in os.environ and os.environ['XAUTHORITY'] != copyXauth:
            shutil.copy(os.environ['XAUTHORITY'], copyXauth)
            os.environ["XAUTHORITY"] = copyXauth

<apachelogger> can't load DistUpgradeViewKDE (coercing to Unicode: need string or buffer, tuple found)
<apachelogger> bug 881541
<ubottu> Launchpad bug 881541 in update-manager (Ubuntu) "DistUpgrade/DistUpgradeViewKDE.py uses mktemp -- which is insecure" [Medium,Fix released] https://launchpad.net/bugs/881541
<apachelogger> http://docs.python.org/library/tempfile.html
<apachelogger> mkstemp() returns a tuple containing an OS-level handle to an open file (as would be returned by os.open()) and the absolute pathname of that file, in that order.
<apachelogger> shutil.copy(os.environ['XAUTHORITY'], copyXauth)
<apachelogger> I am the touple in your string <3

     print os.environ['XAUTHORITY'] => /tmp/kde-me/xauth-1000-_0
     print copyXauth => (13, '/tmp/adeptTXo9jf')

Also: http://docs.python.org/library/shutil.html
shutil.copy(src, dst)
Copy the file src to the file or directory dst. If dst is a directory, a file with the same basename as src is created (or overwritten) in the directory specified. Permission bits are copied. src and dst are path names given as strings.

Changed in update-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in update-manager (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
milestone: none → oneiric-updates
Changed in update-manager (Ubuntu):
milestone: none → ubuntu-12.04-beta-1
Changed in update-manager (Ubuntu Hardy):
status: New → Confirmed
Changed in update-manager (Ubuntu Lucid):
status: New → Confirmed
Changed in update-manager (Ubuntu Maverick):
status: New → Confirmed
Changed in update-manager (Ubuntu Natty):
status: New → Confirmed
Changed in update-manager (Ubuntu Hardy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in update-manager (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in update-manager (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in update-manager (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
summary: - inability to QA utterly broke DistUpgradeViewKDE
+ DistUpgradeViewKDE broken since lastupdate
summary: - DistUpgradeViewKDE broken since lastupdate
+ DistUpgradeViewKDE broken since last security update
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.152.25.8

---------------
update-manager (1:0.152.25.8) oneiric-security; urgency=low

  * REGRESSION FIX:
    - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
      return value handling. (LP: #933225)
  * This package does _not_ contain the changes from (1:0.152.25.6) and
    (1:0.152.25.7) in oneiric-proposed.
 -- Marc Deslauriers <email address hidden> Wed, 15 Feb 2012 22:33:18 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.150.5.2

---------------
update-manager (1:0.150.5.2) natty-security; urgency=low

  * REGRESSION FIX:
    - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
      return value handling. (LP: #933225)
 -- Marc Deslauriers <email address hidden> Wed, 15 Feb 2012 22:43:43 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.142.23.2

---------------
update-manager (1:0.142.23.2) maverick-security; urgency=low

  * REGRESSION FIX:
    - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
      return value handling. (LP: #933225)
 -- Marc Deslauriers <email address hidden> Wed, 15 Feb 2012 22:45:27 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.134.11.2

---------------
update-manager (1:0.134.11.2) lucid-security; urgency=low

  * REGRESSION FIX:
    - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
      return value handling. (LP: #933225)
 -- Marc Deslauriers <email address hidden> Wed, 15 Feb 2012 22:47:06 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.87.33

---------------
update-manager (1:0.87.33) hardy-security; urgency=low

  * REGRESSION FIX:
    - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
      return value handling. (LP: #933225)
 -- Marc Deslauriers <email address hidden> Thu, 16 Feb 2012 08:30:21 -0500

Changed in update-manager (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in update-manager (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in update-manager (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in update-manager (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in update-manager (Ubuntu Oneiric):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.156.5

---------------
update-manager (1:0.156.5) precise; urgency=low

  [ Brian Murray ]
  * do-release-upgrade: capitalize U in ubuntu
  * debian/source_update-manager.py: add screenlog.0 from
    /var/log/dist-upgrade to apport bug reports

  [ Marc Deslauriers ]
  * DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
    return value handling. (LP: #933225)
 -- Michael Vogt <email address hidden> Thu, 16 Feb 2012 17:30:58 +0100

Changed in update-manager (Ubuntu Precise):
status: Triaged → Fix Released
Harald Sitter (apachelogger) wrote :

Thank you for getting this resolved so quick.

description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints