[Bug 959131] Re: Doesn't detect unauthenticated packages if the transaction hasn't been simulated before

Marc Deslauriers marc.deslauriers at canonical.com
Mon Apr 2 17:42:03 UTC 2012 

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptdaemon in Ubuntu.
https://bugs.launchpad.net/bugs/959131

Title:
  Doesn't detect unauthenticated packages if the transaction hasn't been
  simulated before

Status in “aptdaemon” package in Ubuntu:
  Fix Released
Status in “aptdaemon” source package in Natty:
  Fix Released
Status in “aptdaemon” source package in Oneiric:
  Fix Released
Status in “aptdaemon” source package in Precise:
  Fix Released

Bug description:
  Aptdaemon allows to install unauthenticated packages using software-
  center or update-manager.

  The version of aptdaemon in Natty, Oneiric and Precise are affected.
  Dear security team, could you please apply the attached
  securtiy_fix_install_unauthenticated_packages_(oneric|natty) patches
  to the corresponding releases?

  The version in Precise will be fixed by a new upstream snapshot
  release and will also inculde the fixed deffered simulation patch.

  Background: Aptdaemon only checks for unauthenticated packages during
  the simulation of a transaction. Normally aptdaemon should simulate
  every transaction before it is queued, even if the client hasn't
  explicitly called the Simulate method of the transaction before (e.g.
  update-manager and software-center don't simulate the transactions).
  But there is an error in aptdaemon.core.TransactionQueue.put() which
  results in the transactions being queued and applied before they are
  simulated.

  Two steps are required to resolve this issue:

  (1) Perform a re-check of unauthenticated packages directly before
  applying the changes

  (2) Fix the automatic simulation of transactions [But this part could
  be skipped for a security fix release]

  Thanks a lot to Michael Vogt for detecing and providing a fix for this
  issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131/+subscriptions

More information about the foundations-bugs mailing list