Bug 35948 - apt: Multiple issues (3.2)
apt: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P1 normal (vote)
: UCS 3.2-3-errata
Assigned To: Janek Walkenhorst
Philipp Hahn
:
Depends on:
Blocks: 35969
  Show dependency treegraph
 
Reported: 2014-09-17 12:06 CEST by Moritz Muehlenhoff
Modified: 2014-09-22 06:36 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-09-17 12:06:01 CEST
Multiple issues have been found in the implementation of Secure Apt:

Incorrect handling of 304 replies (CVE-2014-0487)
Incorrect invalidation when switching between authenticated and unauthenticated sources (CVE-2014-0488)
Missing verification when using Acquire::Gzip indexes (CVE-2014-0489)

One issue (CVE-2014-0490) doesn't apply to UCS 3.2, the affected code isn't present yet.
Comment 1 Janek Walkenhorst univentionstaff 2014-09-17 19:04:38 CEST
Advisory: 2014-09-17-apt.yaml
Tests (amd64): OK
Comment 2 Philipp Hahn univentionstaff 2014-09-18 10:31:23 CEST
OK: r13584 r13585
OK: diff -U 3.1-0-0-ucs/0.8.10.3+squeeze1 3.2-0-0-ucs/0.8.10.3+squeeze3-errata3.2-3

OK: apt-cache policy apt # 0.8.10.3.60.201409171430
OK: apt-get upgrade # amd64
OK: zless /usr/share/doc/apt/changelog.gz
OK: aptitude install '?source-package(apt)?installed' # i386
OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade

OK: r53744
OK: /usr/sbin/announce_errata -V ~/GIT/branches/ucs-3.2/ucs-3.2-3/doc/errata/staging/2014-09-17-apt.yaml
Comment 3 Moritz Muehlenhoff univentionstaff 2014-09-19 09:49:48 CEST
A regression was found in the initial fix:
https://lists.debian.org/debian-security-announce/2014/msg00216.html
Comment 4 Janek Walkenhorst univentionstaff 2014-09-19 16:35:17 CEST
(In reply to Moritz Muehlenhoff from comment #3)
> A regression was found in the initial fix:
> https://lists.debian.org/debian-security-announce/2014/msg00216.html

Added 30_CVE-2014-0487_regression.patch
Updated 2014-09-17-apt.yaml

Tests (amd64): OK
Comment 5 Philipp Hahn univentionstaff 2014-09-19 17:04:48 CEST
OK: r13587

OK: apt-cache policy apt # 0.8.10.3.61.201409191614
OK: aptitude install '?source-package(apt)?installed'
OK: zless /usr/share/doc/apt/changelog.gz
   30_CVE-2014-0487_regression
OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade

OK: announce_errata -V 2014-09-17-apt.yaml
OK: 2014-09-17-apt.yaml

NOT-CHECKED: ucr set repository/online/unmaintained=yes repository/online/sources=yes update/secure_apt=no ; apt-get update ; apt-get install dpkg-dev ; apt-get source apt ; apt-get build-dep apt ; apt-0.8.10.3.61.201409191614/test/integration/test-apt-update-file
Comment 6 Janek Walkenhorst univentionstaff 2014-09-19 17:57:06 CEST
http://errata.univention.de/ucs/3.2/209.html