[Bug 891747] Re: unattended-upgrades fails to upgrade insecure packages
Kristian Erik Hermansen
kristian.hermansen at gmail.com
Sun Nov 20 16:56:46 UTC 2011
OK. But just be advised that anyone running an LTS version of Ubuntu,
that expect security updates to be installed via unattended-upgrades
will be VULNERABLE to exploitation because updated packages are NOT
being installed as expected. This has the potential to do much more harm
to any system than a specific single package vulnerability, mainly
because now the exposure is multiplied by the total number of packages
not updated that contain vulnerabilities. In such a case, it could be
hundreds of packages. In my specific case, it was around ~20 packages
that were vulnerable.
So, in summary, anyone running an LTS release with this vulnerable
package will remain vulnerable for up to five years because unattended-
upgrades is not being tagged as a security vulnerability and not
upgrading itself.
Also, this brings to light another attack on the packaging system as
detailed below.
1) Security team announces major security issue in a package used by everyone (say libpam)
2) Security update released to public.
3) One hour later, a trusted insider posts an update to the same libpam package to fix some minor bugs.
4) Vulnerable systems never receive package update via unattended-upgrades and remain vulnerable for eternity due to improper package update selection process algorithm...
This could mean the libpam vulnerability is exploitable forever on the
system! If that is what you think is acceptable, then OK!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/891747
Title:
unattended-upgrades fails to upgrade insecure packages
Status in “unattended-upgrades” package in Ubuntu:
In Progress
Bug description:
Background information:
"""
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy unattended-upgrades
unattended-upgrades:
Installed: 0.73ubuntu1
Candidate: 0.73ubuntu1
Version table:
*** 0.73ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
"""
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
$ sudo unattended-upgrade -d 2>&1 | egrep ^No
No packages found that can be upgraded unattended
$ echo $?
0
$ apt-cache policy xserver-xorg-core
xserver-xorg-core:
Installed: 2:1.10.4-1ubuntu4
Candidate: 2:1.10.4-1ubuntu4.2
Version table:
2:1.10.4-1ubuntu4.2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
2:1.10.4-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
*** 2:1.10.4-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
100 /var/lib/dpkg/status
"""
In the example above, we have xserver-xorg-core, which is currently an
insecure package containing security flaws. A run of the unattended-
upgrades tool SHOULD resolve this situation, but in fact, it does not
due to a higher revision package that is available for installation
that is not tagged as a security release. This results in the
unattended-upgrade tool not being reliable as a means to ensure system
security.
A copy of the current locations to automatically install updates from:
"""
$ egrep -v '^//' /etc/apt/apt.conf.d/50unattended-upgrades | sed '/^$/d'
Unattended-Upgrade::Allowed-Origins {
"Google\, Inc.:stable";
"${distro_id} ${distro_codename}-security";
};
Unattended-Upgrade::Package-Blacklist {
};
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions
More information about the foundations-bugs
mailing list