[Bug 701378] Re: update-manager seems to insecurely check if a file is valid
Walter Garcia-Fontes
walter.garcia at upf.edu
Thu Dec 15 19:48:08 UTC 2011
** Package changed: update-manager-core (Ubuntu) => update-manager
(Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/701378
Title:
update-manager seems to insecurely check if a file is valid
Status in “update-manager” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: update-manager-core
I think update-manager has a security problem:
# grep URI /etc/update-manager/meta-release | head -2
URI = http://changelogs.ubuntu.com/meta-release
URI_LTS = http://changelogs.ubuntu.com/meta-release-lts
Changelogs are checked over the url: http://changelogs.ubuntu.com
/meta-release where you will find something like this:
Dist: maverick
[..]
UpgradeTool: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz
UpgradeToolSignature: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz.gpg
Presumably, the UpgradeToolSignature is used to verify the
UpgradeTool.
So update-manager does two things:
* Gets a signature that verifies a file.
* Get a file.
* Checks the signature verifies the file.
But because this is happening over http without ssl, the signature or
the file or both can be replaced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/701378/+subscriptions
More information about the foundations-bugs
mailing list