[Bug 1728405] Re: Update-manager starts your browser as root
Leonidas S. Barbosa
1728405 at bugs.launchpad.net
Tue Oct 31 14:09:03 UTC 2017
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1728405
Title:
Update-manager starts your browser as root
Status in update-manager package in Ubuntu:
Confirmed
Bug description:
When I upgraded from Ubuntu MATE 17.04. to 17.10. I realized that
there is a security issue with the update-manager (1:17.04.7 500).
Here's what I mean:
1) Start the update-manager, when it tells you, there's "a new version
of Ubuntu available", click on upgrade. A prompt will appear asking
for your sudo password. Enter your password.
2) Then the release notes appear. When you now click on any of the
links inside, your standard browser (in my case Firefox) will open
with root permissions.
This should never happen.
Either the release notes should be displayed before the prompt for
your root password, or upgrade-manager should have a mechanism to
prevent starting other GUI apps as root.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1728405/+subscriptions
More information about the foundations-bugs
mailing list