[Bug 839094] Re: update-manager leaks passwords to private PPAs in world readable log files

Launchpad Bug Tracker 839094 at bugs.launchpad.net
Fri Sep 30 14:42:41 UTC 2011 

This bug was fixed in the package update-manager - 1:0.152.20

---------------
update-manager (1:0.152.20) oneiric; urgency=low

  * DistUpgrade/DistUpgradeQuirks.py:
    - increase the default cache size on a multiarch system to
      avoid potential crash in natty apt (LP: #854090)
  * DistUpgrade/DistUpgradeController.py, UpdateManager/Core/utils.py:
    - do not leak password from sources.list entries into the logfile
      (LP: #839094)
  * UpdateManager/UpdateManager.py:
    - do not crash if a package can not be put into "install" state,
      instead, just keep the old (unmarked) state (LP: #850482)
  * UpdateManager/DistUpgradeFetcher.py:
    - fix crash for changed gtk2 -> gtk3 API (LP: #859862)
  * UpdateManager/backend/InstallBackendAptdaemon.py:
    - remove debug output (LP: #855495)
 -- Michael Vogt <michael.vogt at ubuntu.com>   Fri, 30 Sep 2011 16:09:55 +0200

** Changed in: update-manager (Ubuntu Oneiric)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/839094

Title:
  update-manager leaks passwords to private PPAs in world readable log
  files

Status in “update-manager” package in Ubuntu:
  Fix Released
Status in “update-manager” source package in Oneiric:
  Fix Released

Bug description:
  update-manager puts passwords to private PPA in world readable log
  files, c.f.

  | sdfsdsd at tuna:~$ grep -r private-ppa /var/log/dist-upgrade/20110901-1642/
  | /var/log/dist-upgrade/20110901-1642/main.log:2011-09-01 16:35:03,768 DEBUG examining: 'deb https://elmo:XXXXXXXXXXXXXXXXXX@private-ppa.launchpad.net/commercial-ppa-uploaders/braid/ubuntu natty main #Added by software-center'
  | /var/log/dist-upgrade/20110901-1642/main.log:2011-09-01 16:35:03,771 DEBUG entry '# deb https://elmo:XXXXXXXXXXXXXXXXXX@private-ppa.launchpad.net/commercial-ppa-uploaders/braid/ubuntu oneiric main #Added by software-center disabled on upgrade to oneiric' was disabled (unknown mirror)
  | sdfsdsd at tuna:~$ groups
  | sdfsdsd
  | sdfsdsd at tuna:~$ 

  Obviously, this is bad for any system that has more than one user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/839094/+subscriptions

More information about the foundations-bugs mailing list