Ubuntu
update-notifier package

update manager notification area icon may be wrong in certain cases

Bug #239673 reported by Stefano Angeleri
8
Affects Status Importance Assigned to Milestone
update-notifier (Ubuntu)
Fix Released
High
Michael Vogt
Hardy
Fix Released
High
Michael Vogt

Bug Description

Binary package hint: update-manager

When you have some important security updates (like the kernel updates, the openssl recent updates) the red icon with the arrow shows fine and notifies you that there are important security updates. But if you try to install only some (so not all) (in my case I've just installed the openssl-blacklist package and not the kernel) the icon will change to the normal "star like" icon telling you there are only normal or proposed (as I've also that repository enabled) updates. It will stay like this even after reboots till new important security updates gets released.
Obviously this behavior is wrong as it should notify that there are important security updates till they are all installed and not stopping notifying it when only a package gets installed.

TEST CASE:
1. use stock hardy (8.04) without anything applied in -updates or -security
2. start update-manager
3. click "check" and verify that the notification area icon has a red downward arrow (to show that security updates are available)
4. unselect all packages starting with "linux" in the security tab
5. click on "instlal updates"
6. look at the remaining packages that start with linux and confirm
   a) that they are listed under security updates
   b) that the icon in the notification area changed from the arrow to a round icon that looks different

8. install the new update-notifier from proposed on a stock hardy (8.04) without -updates or -security
9. repeat steps 2-5
10. verify that this time the notification area icon remains the same and verify that the number of updates in the tooltip is the same as reported in the first run
How to reproduce:
1- get a system missing more than one security update by downgrading, installing from scratch or wait for some to get released
2- you will notice the red arrow notification
3- click on it and install only one of the available security updates (there must be more than one)
4- notice the notification area icon gets back to the normal updates available version

What should happen:
The notification area icon should remain with the red arrow till all security updates get installed in the system

What happens:
The notification area icon switches back to the normal updates available version and doesn't tell there are still security updates till some new ones get released

I think this should be considered a security problem as security updates might be left uninstalled this way, but as I'm not 100% certain I'm not ticking the contact security team check box

This was tested on 8.04 with update-manager 1:0.87.27

See original description
Stefano Angeleri (weltall)
description: updated
Revision history for this message
Michael Vogt (mvo) wrote :

Thanks for your bugreport.

I just tried this on my hardy install and can not reproduce this on a stock install. I had a bunch of secuirty updates, selected only "gnutls" and installed those. After that the icon remained a "security udpates" needed one.

Could you please run:
$ /usr/lib/update-notifier/apt-check
and attach the output? Could you also please attach your /etc/apt/sources.list

Changed in update-manager:
status: New → Incomplete
assignee: nobody → mvo
importance: Undecided → High
Revision history for this message
Stefano Angeleri (weltall) wrote :

i could but right now I've no security updates.
Another thing that maybe I've forgot to add is that I've the proposed repository enabled as you will see from the sources.list. Additionally I've also the winehq repository enabled following winehq instructions
anyway here's what was requested

~$ /usr/lib/update-notifier/apt-check
Reading package lists... Done
Building dependency tree
Reading state information... Done
34;0

I'm going to try this command also the next time i will get security updates and I will be able to reproduce the problem.

Revision history for this message
Stefano Angeleri (weltall) wrote :

strangely the security updates released today (regarding ruby and openssl didn't make the problem come out, i've tried installing one after another and there is still the security icon as expected). At this point i've only to wait for an update in the linux-generic and correlated packages as it happened for sure in that case (check picture).
these were the results of today updates done one by one
~$ /usr/lib/update-notifier/apt-check
Reading package lists... Done
Building dependency tree
Reading state information... Done
37;5~$ /usr/lib/update-notifier/apt-check
Reading package lists... Done
Building dependency tree
Reading state information... Done
36;4~$ /usr/lib/update-notifier/apt-check
Reading package lists... Done
Building dependency tree
Reading state information... Done
33;1~$ /usr/lib/update-notifier/apt-check
Reading package lists... Done
Building dependency tree
Reading state information... Done
33;1

Revision history for this message
Michael Vogt (mvo) wrote :

Thanks for this additional information.

I see the bug now too, the trouble here is that if two version of linux are available, it may get confused. I was able to reproduce it with the stock hardy linux-generic installed and the following packages in the archive:
$ rmadion linux-generic
[..]
linux-generic | 2.6.24.18.20 | hardy-security/restricted | amd64, i386
linux-generic | 2.6.24.19.21 | hardy-updates/restricted | amd64, i386

update-manager groks that the version in updates includes the changes of a version in security, but update-notifier does not.

Changed in update-notifier:
status: Incomplete → Confirmed
status: Confirmed → In Progress
Revision history for this message
Michael Vogt (mvo) wrote :

Here is the diff:

=== modified file 'data/apt-check'
--- data/apt-check 2008-01-04 15:30:39 +0000
+++ data/apt-check 2008-06-30 15:43:20 +0000
@@ -29,6 +29,15 @@
     sys.exit(-1)

+def isSecurityUpgrade(ver):
+ " check if the given version is a security update (or masks one) "
+ for (file, index) in ver.FileList:
+ if (file.Archive.endswith("-security") and
+ file.Origin == "Ubuntu"):
+ return True
+ return False
+
+
 # -------------------- main ---------------------

 # be nice
@@ -91,15 +100,25 @@
 security_updates = 0
 for pkg in cache.Packages:
     if depcache.MarkedInstall(pkg) or depcache.MarkedUpgrade(pkg):
+ inst_ver = pkg.CurrentVer
+ cand_ver = depcache.GetCandidateVer(pkg)
         # check if this is really a upgrade or a false positive
         # (workaround for ubuntu #7907)
- if depcache.GetCandidateVer(pkg) != pkg.CurrentVer:
- upgrades = upgrades + 1
- ver = depcache.GetCandidateVer(pkg)
- for (file, index) in ver.FileList:
- if (file.Archive.endswith("-security") and
- file.Origin == "Ubuntu"):
- security_updates += 1
+ if cand_ver != inst_ver:
+ # check for security upgrades
+ upgrades = upgrades + 1
+ if isSecurityUpgrade(cand_ver):
+ security_updates += 1
+ break
+ # now check for security updates that are masked by a
+ # canidate version from another repo (-proposed or -updates)
+ for ver in pkg.VersionList:
+ if (inst_ver and apt_pkg.VersionCompare(ver.VerStr, inst_ver.VerStr) <= 0):
+ #print "skipping '%s' " % ver.VerStr
+ continue
+ if isSecurityUpgrade(ver):
+ security_updates += 1
+ break

 # print the number of upgrades
 if options.show_package_names:

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-notifier - 0.71

---------------
update-notifier (0.71) intrepid; urgency=low

  * data/apt-check:
    - check for intermediate version when checking if a upgrade
      is security releated or not. its possible that a upgrade
      is available in -security and a newer one in -updates that
      has the security fixes applied as well but shows up in
      update-notifier as a normal update instead of a security
      releated one (LP: #239673)

 -- Michael Vogt <email address hidden> Mon, 30 Jun 2008 17:37:20 +0200

Changed in update-notifier:
status: In Progress → Fix Released
Revision history for this message
Michael Vogt (mvo) wrote :

I uploaded a fix (that works for me) to

deb http://ppa.launchpad.net/mvo/ubuntu/ hardy main

Feedback is welcome.

Changed in update-notifier:
assignee: nobody → mvo
importance: Undecided → High
status: New → In Progress
Michael Vogt (mvo)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in update-notifier:
status: In Progress → Fix Committed
Revision history for this message
Michael Vogt (mvo) wrote :

This fix seems to cause the regression: #251494 and should not be moved to -updates until this is investgiated further.

Michael Vogt (mvo)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

The fix for this issue got added to hardy-updates in update-notifier 0.70.9, but the changelog only referred to the fixed regression bug that the first attempt at fixing this issue introduced. Marking closed.

Changed in update-notifier:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.