Information disclosure in org.debian.apt.UpdateCachePartially

Bug #722228 reported by Sergey Nizovtsev
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Fix Released
Medium
Michael Vogt
Maverick
Fix Released
Medium
Marc Deslauriers
Natty
Fix Released
Medium
Michael Vogt

Bug Description

Binary package hint: aptdaemon

Starting from Ubuntu 10.10 aptdaemon shipped with Ubuntu allows normal users to update APT cache without password prompt (because they granted PolicyKit's org.debian.apt.update-cache action by default). UpdateCachePartially method doesn't check "sources_list" argument properly and it's possible to use it for viewing any file in the system. See proof-of-concept python script for details.

How to test: login into normal ubuntu user, and run "python apt-hole /etc/shadow" (for example) to see /etc/shadow content.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: python-aptdaemon 0.40+bzr541-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.38-4.31-generic 2.6.38-rc5
Uname: Linux 2.6.38-4-generic x86_64
Architecture: amd64
Date: Sun Feb 20 20:00:09 2011
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=ru:en
 PATH=(custom, user)
 LANG=ru_RU.UTF-8
 LC_MESSAGES=ru_RU.UTF-8
 SHELL=/bin/bash
SourcePackage: aptdaemon

Tags: maverick natty
Revision history for this message
Sergey Nizovtsev (snizovtsev) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this. I can confirm this flaw on Maverick.

Changed in aptdaemon (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in aptdaemon (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 722228] Re: Information disclosure in org.debian.apt.UpdateCachePartially

CVE-2011-0725

Changed in aptdaemon (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in aptdaemon (Ubuntu Natty):
assignee: nobody → Michael Vogt (mvo)
Michael Vogt (mvo)
Changed in aptdaemon (Ubuntu Maverick):
status: Confirmed → In Progress
Changed in aptdaemon (Ubuntu Natty):
status: Confirmed → In Progress
Revision history for this message
Michael Vogt (mvo) wrote :

Thanks a lot for this bugreport. Attached is a fix that should procted from this bug without breaking
anything in maverick. I tested it against the software-center and did not notice any regressions.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We are currently preparing security updates for this issue.

Please do not release a fix, make public revision control commits, comment in public bug reports or otherwise disclose information about this issue until the security updates have been published.

Thanks.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@Sergey: we usually credit the person who discovered security issues in our Ubuntu Security Notice. If youdo not want to be credited, please say so before we publish. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.31+bzr506-0ubuntu6.1

---------------
aptdaemon (0.31+bzr506-0ubuntu6.1) maverick-security; urgency=low

  * SECURITY UPDATE: Unprivileged arbitrary file disclosure (LP: #722228)
    - debian/patches/11_fix_lp722228.patch: only allow alternative
      sources.list files inside the sources.list.d directory in
      aptdaemon/worker.py. Add test to aptdaemon/test/test_lp722228.py.
    - CVE-2011-0725
  * This update does NOT include the changes from 0.31+bzr506-0ubuntu6 that
    was in -proposed.
 -- Marc Deslauriers <email address hidden> Tue, 22 Feb 2011 08:06:34 -0500

Changed in aptdaemon (Ubuntu Maverick):
status: In Progress → Fix Released
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.41+bzr586-0ubuntu1

---------------
aptdaemon (0.41+bzr586-0ubuntu1) natty; urgency=low

  * new bzr snapshot that contains a security fix for
    LP: #722228
  * support for set-candidate-release added
  * debian/control:
    - remove python-{unittest2,mock} from the build-depends
    - build for python >= 2.7
  * disable testsuite during build time until the MIR for
    python-{unittest2,mock} are done
 -- Michael Vogt <email address hidden> Tue, 22 Feb 2011 16:18:34 +0100

Changed in aptdaemon (Ubuntu Natty):
status: In Progress → Fix Released
Revision history for this message
akram (awartany) wrote :

<email address hidden>

Changed in aptdaemon (Ubuntu):
assignee: Michael Vogt (mvo) → akram (awartany)
Changed in aptdaemon (Ubuntu):
assignee: akram (awartany) → Michael Vogt (mvo)
kent (kentc34)
Changed in aptdaemon (Ubuntu):
assignee: Michael Vogt (mvo) → kent (kentc34)
monty (mantukumar359)
Changed in aptdaemon (Ubuntu):
assignee: kent (kentc34) → monty (mantukumar359)
chuangwen (drxiaowen)
description: updated
Changed in aptdaemon (Ubuntu):
assignee: monty (mantukumar359) → jeffrey Ortiz (jerfdog361)
information type: Public Security → Private Security
Alex Murray (alexmurray)
information type: Private Security → Public Security
Changed in aptdaemon (Ubuntu):
assignee: jeffrey Ortiz (jerfdog361) → Michael Vogt (mvo)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.