[Bug 891747] Re: unattended-upgrades fails to upgrade insecure packages

Kristian Erik Hermansen kristian.hermansen at gmail.com
Sun Nov 20 16:56:46 UTC 2011 

OK. But just be advised that anyone running an LTS version of Ubuntu,
that expect security updates to be installed via unattended-upgrades
will be VULNERABLE to exploitation because updated packages are NOT
being installed as expected. This has the potential to do much more harm
to any system than a specific single package vulnerability, mainly
because now the exposure is multiplied by the total number of packages
not updated that contain vulnerabilities. In such a case, it could be
hundreds of packages. In my specific case, it was around ~20 packages
that were vulnerable.

So, in summary, anyone running an LTS release with this vulnerable
package will remain vulnerable for up to five years because unattended-
upgrades is not being tagged as a security vulnerability and not
upgrading itself.

Also, this brings to light another attack on the packaging system as
detailed below.

1) Security team announces major security issue in a package used by everyone (say libpam)
2) Security update released to public.
3) One hour later, a trusted insider posts an update to the same libpam package to fix some minor bugs.
4) Vulnerable systems never receive package update via unattended-upgrades and remain vulnerable for eternity due to improper package update selection process algorithm...

This could mean the libpam vulnerability is exploitable forever on the
system! If that is what you think is acceptable, then OK!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/891747

Title:
  unattended-upgrades fails to upgrade insecure packages

Status in “unattended-upgrades” package in Ubuntu:
  In Progress

Bug description:
  Background information:
  """
  $ lsb_release -rd
  Description:	Ubuntu 11.10
  Release:	11.10

  
  $ apt-cache policy unattended-upgrades
  unattended-upgrades:
    Installed: 0.73ubuntu1
    Candidate: 0.73ubuntu1
    Version table:
   *** 0.73ubuntu1 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status
  """

  
  I expect that when I run the unattended-upgrades command that every insecure package will be upgraded to a secure version. However, this does not occur in the situation shown as an example here. There may also be other situations that cause insecure packages not to be upgraded.
  """
  $ apt-cache policy xserver-xorg-core
  xserver-xorg-core:
    Installed: 2:1.10.4-1ubuntu4
    Candidate: 2:1.10.4-1ubuntu4.2
    Version table:
       2:1.10.4-1ubuntu4.2 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
       2:1.10.4-1ubuntu4.1 0
          500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
   *** 2:1.10.4-1ubuntu4 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status

  
  $ sudo unattended-upgrade -d 2>&1 | egrep ^No
  No packages found that can be upgraded unattended
  $ echo $?
  0
  $ apt-cache policy xserver-xorg-core
  xserver-xorg-core:
    Installed: 2:1.10.4-1ubuntu4
    Candidate: 2:1.10.4-1ubuntu4.2
    Version table:
       2:1.10.4-1ubuntu4.2 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
       2:1.10.4-1ubuntu4.1 0
          500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
   *** 2:1.10.4-1ubuntu4 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status
  """

  In the example above, we have xserver-xorg-core, which is currently an
  insecure package containing security flaws. A run of the unattended-
  upgrades tool SHOULD resolve this situation, but in fact, it does not
  due to a higher revision package that is available for installation
  that is not tagged as a security release. This results in the
  unattended-upgrade tool not being reliable as a means to ensure system
  security.

  A copy of the current locations to automatically install updates from:
  """
  $ egrep -v '^//' /etc/apt/apt.conf.d/50unattended-upgrades | sed '/^$/d'
  Unattended-Upgrade::Allowed-Origins {
  	"Google\, Inc.:stable";
  	"${distro_id} ${distro_codename}-security";
  };
  Unattended-Upgrade::Package-Blacklist {
  };
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions

More information about the foundations-bugs mailing list