[Bug 979426] Re: persistent MitM can truncate list of files passed as script command line arguments
Launchpad Bug Tracker
979426 at bugs.launchpad.net
Fri Apr 13 16:16:09 UTC 2012
This bug was fixed in the package update-notifier - 0.119ubuntu7
---------------
update-notifier (0.119ubuntu7) precise; urgency=low
* Use <proto>_proxy environment variables to choose the proxy to use for
data downloads, not the apt proxy settings, because apt may be
configured to point at a package-specific proxy. This makes proxy
configuration a little less convenient than before for the
flashplugin-installer package, but it at least it makes it possible to
have a different proxy setting for packages vs. arbitrary data
downloads, which otherwise we don't have any way to support.
LP: #979477.
* Stop processing after a fatal download error, not just a transient one,
so that we can't be tricked into feeding a partial list of files to a
handler. Thanks to Kees Cook for spotting the bug. LP: #979426.
* Flush stdout before calling subprocess, so that log output makes more
sense.
* Print a more meaningful status message when downloading, instead of just
a bare URL.
* Check for existence of /usr/lib/update-notifier/package-data-downloader
before trying to run it from our cron job, so that the package doesn't
generate error messages when removed but not purged.
* The action for our notification should call gksu instead of trying to
run the command directly without root access. This is imperfect because
kubuntu won't have gksudo available by default, but it's an improvement
over failing for everybody. LP: #976761.
-- Steve Langasek <steve.langasek at ubuntu.com> Fri, 13 Apr 2012 03:49:10 +0000
** Changed in: update-notifier (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/979426
Title:
persistent MitM can truncate list of files passed as script command
line arguments
Status in “update-notifier” package in Ubuntu:
Fix Released
Bug description:
This is a currently useless vulnerability from what I can see, but if
someone is able to MitM an Ubuntu system for 3 days when running
/usr/lib/update-notifier/package-data-downloader, it will be possible
to remove files from the "script" command line:
def record_failure(hook):
"""Record that the named hook has failed"""
if hook_aged_out(hook):
permanent_failures.append(hook)
else:
failures.append(hook)
...
for i in range(len(files)):
print files[i]
dest_file = urllib.urlretrieve(files[i])[0]
output = subprocess.check_output(["sha256sum", dest_file])
output = output.split(' ')[0]
if output == sums[i]:
command.append(dest_file)
else:
record_failure(relfile)
break
if relfile in failures:
break
result =
subprocess.call(command)
If a file fails sha256 sums for 3 days, it will trigger "hook_aged_out", which means it will _not_ be added to the "failures" global, so the "if relfile in failures" test will fail, allowing the command to execute with only the subset of non-failed files, which does not seem to be the intended behavior.
Currently both users of this feature (flashplugin-installer, ttf-
mscorefonts-installer) seem to fail gracefully when lacking expected
command line arguments. Regardless, this code should be fixed before
more users come along and depend on the order of files, etc.
Additionally it would be nice if sys.stdout.flush() was called before
subprocess runs so that my cron email makes sense instead of freaking
me out as badly next time:
/etc/cron.daily/update-notifier-common:
Installing from local file /tmp/tmp_Vt6St.gz
Flash Plugin installed.
http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_11.2.202.228.orig.tar.gz
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/979426/+subscriptions
More information about the foundations-bugs
mailing list