[Bug 346386] Re: [MASTER] Update fails with invalid package files with "Encountered a section with no Package: header"
Hobson Lane
346386 at bugs.launchpad.net
Sat Jun 25 01:25:22 UTC 2011
Doesn't this bug allow malicious users to root any Ubuntu system
connected to a wifi cafe that uses web logon and no encryption?
I'm not sure if I understand this, but it seems like proxies can insert
URLs into the apt lists at will. And at logon-style wifi cafe's, a
malicious user sitting at the table next to you could impersonate the
cafe proxy (MITM), potentially inserting whatever they like into the
lists URL. Wouldn't this then affect the Ubuntu upgrade and update
cycles, redirecting requests to those chosen by the malicious laptop
owner, perhaps weeks late while not connected to the malicious proxy?
Perhaps the user would be required to accept some bogus security
certificate before downloading the malicious code--so maybe only 10% of
infected Ubuntu users would be caught. But might it be possible that if
the user updates/upgrades while still connected through the malicious
proxy, the proxy could peform a MITM on the certificates and still get
the user to unknowingly install whatever "upgrades" the malicious user
intends, to root the wifi user's system.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/346386
Title:
[MASTER] Update fails with invalid package files with "Encountered a
section with no Package: header"
Status in “apt” package in Ubuntu:
Fix Released
Status in “apt” source package in Natty:
Fix Committed
Status in “apt” package in Debian:
Unknown
Bug description:
Binary package hint: adept-updater
Pertinent data printed when attempting to run Updater as follows:
An unresolvable problem occurred while initializing the package
information.
Please report this bug against the 'update-manager' package and
include the following error message:
'E:Encountered a section with no Package: header, E:Problem with
MergeList /var/lib/apt/lists/us.archive.ubuntu
.com_ubuntu_dists_intrepid_universe_binary-amd64_Packages, E:The
package lists or status file could not be parsed or opened.'
WORKAROUND:
Remove problematic files from /var/lib/apt/lists/ and rerun apt-get update.
In the event that one is connected to a network with a proxy server
that returns html pages (like a web page requesting you to login) and
not package list files. Those html files will get downloaded to
/var/lib/apt/lists/ and prevent someone from using a package manager
until the problem html pages are removed.
TEST CASE:
1) Ensure /etc/apt/sources.list points to archive.ubuntu.com
2) Setup proxy server to block access to archive.ubuntu.com and return something like http://people.canonical.com/~brian/tmp/not-packages.html
3) Execute 'sudo apt-get update' in a terminal
4) Observe the following:
'E: Encountered a section with no Package: header
E: Problem with MergeList /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_natty_main_binary-amd64_Packages
E: The package lists or status file could not be parsed or opened.'
5) Try 'apt-cache policy apt' and be sad that it doesn't work
With the proposed package installed repeat steps 1 to 3.
4) Observe the following:
''Get:1 http://archive.ubuntu.com oneiric InRelease [189 B]
Ign http://archive.ubuntu.com oneiric InRelease
E: GPG error: http://archive.ubuntu.com oneiric InRelease: The following signatures were invalid: NODATA 1 NODATA 2'
5) Try 'apt-cache policy apt' and be happy that it works
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/346386/+subscriptions
More information about the foundations-bugs
mailing list