Ubuntu
base-files package

Dell Latitude 2110 ships insecure apt configuration

Bug #610647 reported by Tony Espy
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
base-files (Ubuntu)
Fix Released
High
Martin Pitt
Karmic
Fix Released
High
Martin Pitt
Lucid
Fix Released
High
Martin Pitt
Maverick
Fix Released
High
Martin Pitt

Bug Description

Binary package hint: base-files

The Dell Lattitude 2110 factory pre-installed image is based on Ubuntu Netbook Remix 9.10. Due to a bug in the build process for this OEM image, a configuration variable which was thought to only effect the image build process, actually affected installed systems. The live-helper option LH_APT_SECURE set to "disabled". This resulted in the file /etc/apt/apt.conf.d/00secure, which contains the following:

APT::Get::AllowUnauthenticated "true";
Aptitude::CmdLine::Ignore-Trust-Violations "true";

The latter apt setting is the main concern. The setting includes "CmdLine". Not being an apt expert, I'm not sure whether this directly effects Synaptics, Update Manager, however it does open the system up for command-line operations.

This has been blogged about:

http://losca.blogspot.com/2010/07/unboxing-and-tinkering-dell-latitude.html

The plan is to match on the md5sum of the file if found, and delete it. I will attach the file and md5sum in a comment.

Revision history for this message
Tony Espy (awe) wrote :

steve@daphne:/media/foo/etc/apt/apt.conf.d$ md5sum 00secure
da402e2c3a805e234ae7d20fa55580a6 00secure

Martin Pitt (pitti)
Changed in base-files (Ubuntu Karmic):
status: New → Triaged
Changed in base-files (Ubuntu Lucid):
status: New → Triaged
Changed in base-files (Ubuntu Maverick):
status: New → Triaged
Changed in base-files (Ubuntu Karmic):
importance: Undecided → High
Changed in base-files (Ubuntu Lucid):
importance: Undecided → High
Changed in base-files (Ubuntu Maverick):
importance: Undecided → High
Martin Pitt (pitti)
Changed in base-files (Ubuntu Maverick):
assignee: nobody → Martin Pitt (pitti)
Changed in base-files (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
Changed in base-files (Ubuntu Karmic):
assignee: nobody → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

Update for lucid. I tested all 6 combinations of (lucid-updates -> this version, this version -> this version) x (no 00secure, original 00secure, modified 00secure).

The maverick update is not that important I think, but it's such a simple fix that we should just provide it anyway. I'll upload it when I get the security team's "go" for publishing the bug and the update.

Security team, do you want to assign a CVE to this? If so, please add it to the changelog when you upload this.

Karmic update will come in a bit.

Changed in base-files (Ubuntu Lucid):
status: Triaged → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Corresponding karmic update, tested the same way.

Changed in base-files (Ubuntu Karmic):
status: Triaged → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Maverick update. I can upload this myself once we settle the CVE question and security team acks/processes the lucid/karmic updates.

Changed in base-files (Ubuntu Maverick):
status: Triaged → Fix Committed
Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 610647] Re: Dell Latitude 2110 ships insecure apt configuration

CVE-2010-0834

I will get these uploaded for building to the security queue. Thanks for
preparing the fixes!

Kees Cook (kees)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 5.0.0ubuntu20.10.04.2

---------------
base-files (5.0.0ubuntu20.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: unauthenticated software installations.
    - debian/postinst.in: A bug in the build process for the Dell Latitude
      2110 factory pre-installed OEM images caused a temporary apt
      configuration file to be left in the installed system. This disabled
      apt's enforcement of authenticated packages. Remove the file on
      upgrades if it matches the factory version. (LP: #610647)
    - CVE-2010-0834
 -- Martin Pitt <email address hidden> Wed, 28 Jul 2010 17:54:43 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 5.0.0ubuntu7.1

---------------
base-files (5.0.0ubuntu7.1) karmic-security; urgency=low

  * SECURITY UPDATE: unauthenticated software installations.
    - debian/postinst.in: A bug in the build process for the Dell Latitude
      2110 factory pre-installed OEM images caused a temporary apt
      configuration file to be left in the installed system. This disabled
      apt's enforcement of authenticated packages. Remove the file on
      upgrades if it matches the factory version. (LP: #610647)
    - CVE-2010-0834
 -- Martin Pitt <email address hidden> Wed, 28 Jul 2010 18:38:33 +0200

Changed in base-files (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in base-files (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 5.0.0ubuntu22

---------------
base-files (5.0.0ubuntu22) maverick; urgency=low

  * debian/postinst.in: A bug in the build process for the Dell Latitude 2110
    factory pre-installed OEM images caused a temporary apt configuration file
    to be left in the installed system. This disabled apt's enforcement of
    authenticated packages. Remove the file on upgrades if it matches the
    factory version. (LP: #610647)
 -- Martin Pitt <email address hidden> Wed, 28 Jul 2010 18:46:45 +0200

Changed in base-files (Ubuntu Maverick):
status: Fix Committed → Fix Released
susquedaubuntu (susqueda)
Changed in base-files (Ubuntu Karmic):
status: Fix Released → Incomplete
Martin Pitt (pitti)
Changed in base-files (Ubuntu Karmic):
status: Incomplete → Fix Released
nccorthu@sbcglobal.net (nccorthu)
Changed in base-files (Ubuntu):
status: Fix Released → New
Martin Pitt (pitti)
Changed in base-files (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.