apt_pkg configuration leaks in get_pkg_candidate_version
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Users who import and run the uaclient.
The fix is to use the same context manager used for security-status, which guarantees that the configuration is the same before and after u-a-t access any of the Caches.
[Test Case]
- On any release, in a Python interpreter:
```
import apt
from uaclient.apt import get_pkg_
print(len(
v = get_pkg_
print(len(
```
The size of the Cache should match, before and after the function call.
On u-a-t 27.14, this fails.
[Regression Potential]
If we fix this the wrong way, people may still get their apt_pkg config in a state they wouldn't expect for the specific python process they are running. This would be the same as not fixing it. Our test aims to mitigate the possibility of such thing happening.
[Discussion]
There is a really small chance of this bug happening, given there are no user flows including this function being called directly, and process isolation takes care of the rest. However, given the specificities of the apt and apt_pkg integration in u-a-t, it is important to fix this and cover any corner case.
Related branches
- Athos Ribeiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 106 lines (+30/-25)4 files modifieddebian/changelog (+8/-0)
uaclient/apt.py (+21/-22)
uaclient/security_status.py (+0/-2)
uaclient/version.py (+1/-1)
description: | updated |
This bug was fixed in the package ubuntu- advantage- tools - 27.14.1~23.04.1
--------------- advantage- tools (27.14.1~23.04.1) lunar; urgency=medium
ubuntu-
* New upstream release 27.14.1 pkg_candidate_ version
- apt: fix a configuration leak in the apt.get_
function (LP: #2012642)
-- Renan Rodrigo <email address hidden> Thu, 23 Mar 2023 13:41:05 -0300