Bug 35948 – apt: Multiple issues (3.2)

Bug 35948 - apt: Multiple issues (3.2)


Summary:	apt: Multiple issues (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P1 normal (vote)
Target Milestone:	UCS 3.2-3-errata
Assigned To:	Janek Walkenhorst
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:	35969
	Show dependency tree / graph

Reported:	2014-09-17 12:06 CEST by Moritz Muehlenhoff
Modified:	2014-09-22 06:36 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-09-17 12:06:01 CEST

Multiple issues have been found in the implementation of Secure Apt:

Incorrect handling of 304 replies (CVE-2014-0487)
Incorrect invalidation when switching between authenticated and unauthenticated sources (CVE-2014-0488)
Missing verification when using Acquire::Gzip indexes (CVE-2014-0489)

One issue (CVE-2014-0490) doesn't apply to UCS 3.2, the affected code isn't present yet.

Comment 1 Janek Walkenhorst

2014-09-17 19:04:38 CEST

Advisory: 2014-09-17-apt.yaml
Tests (amd64): OK

Comment 2 Philipp Hahn

2014-09-18 10:31:23 CEST

OK: r13584 r13585
OK: diff -U 3.1-0-0-ucs/0.8.10.3+squeeze1 3.2-0-0-ucs/0.8.10.3+squeeze3-errata3.2-3

OK: apt-cache policy apt # 0.8.10.3.60.201409171430
OK: apt-get upgrade # amd64
OK: zless /usr/share/doc/apt/changelog.gz
OK: aptitude install '?source-package(apt)?installed' # i386
OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade

OK: r53744
OK: /usr/sbin/announce_errata -V ~/GIT/branches/ucs-3.2/ucs-3.2-3/doc/errata/staging/2014-09-17-apt.yaml

Comment 3 Moritz Muehlenhoff

2014-09-19 09:49:48 CEST

A regression was found in the initial fix:
https://lists.debian.org/debian-security-announce/2014/msg00216.html

Comment 4 Janek Walkenhorst

2014-09-19 16:35:17 CEST

(In reply to Moritz Muehlenhoff from comment #3)
> A regression was found in the initial fix:
> https://lists.debian.org/debian-security-announce/2014/msg00216.html

Added 30_CVE-2014-0487_regression.patch
Updated 2014-09-17-apt.yaml

Tests (amd64): OK

Comment 5 Philipp Hahn

2014-09-19 17:04:48 CEST

OK: r13587

OK: apt-cache policy apt # 0.8.10.3.61.201409191614
OK: aptitude install '?source-package(apt)?installed'
OK: zless /usr/share/doc/apt/changelog.gz
   30_CVE-2014-0487_regression
OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade

OK: announce_errata -V 2014-09-17-apt.yaml
OK: 2014-09-17-apt.yaml

NOT-CHECKED: ucr set repository/online/unmaintained=yes repository/online/sources=yes update/secure_apt=no ; apt-get update ; apt-get install dpkg-dev ; apt-get source apt ; apt-get build-dep apt ; apt-0.8.10.3.61.201409191614/test/integration/test-apt-update-file

Comment 6 Janek Walkenhorst

2014-09-19 17:57:06 CEST

http://errata.univention.de/ucs/3.2/209.html