Bug 39671 – Invalid signature files are removed but the App is still valid

Bug 39671 - Invalid signature files are removed but the App is still valid


Summary:	Invalid signature files are removed but the App is still valid

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	UMC - App-Center
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:

URL:
Keywords:

Depends on:	39194
Blocks:
	Show dependency tree / graph

Reported:	2015-10-29 14:01 CET by Stefan Gohmann
Modified:	2019-01-03 07:18 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	7: Crash: Bug causes crash or data loss
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.160
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2015-10-29 14:01:52 CET

As described in Bug #39194, if a script was modified, only the script is removed. The Admin should not be able to install those Apps.

+++ This bug was initially created as a clone of Bug #39194 +++

(In reply to Stefan Gohmann from comment #5)
> I've added a first test script: 80_docker/59_app_center_signature
> 
> It tests various modification:
>  - no pgp file available
>  - the index.json was modified
>  - the ini file was modified
> 
> These tests were successful. I've also modified an inst script. While
> modifying the ini file, the App was no longer available because the hash was
> not valid. I think that's right. 
> The App was still available after the inst file was modified:
> Checksum for owncloud8-docker_20150917.inst should be
> u'68512ce46f443653d18f6d14b9b67325' but was
> '91ca715e08842f6a44840c77729c8df1'! Rather removing this file...
> 
> I think the App should also be no longer available in this scenario.

Comment 1 Dirk Wiesenthal

2016-10-28 13:01:54 CEST

Depending on the script, this could indeed be very bad.

Comment 2 Stefan Gohmann

2019-01-03 07:18:37 CET

This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.