Ubuntu
software-center package

Should not include private PPA details in software-center.log

Bug #807745 reported by Gary Lasker
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
software-center (Ubuntu)
Fix Released
High
Gary Lasker
Maverick
Fix Released
High
Unassigned
Natty
Fix Released
High
Unassigned

Bug Description

Currently, when a transaction failed error occurs, we log the error
message from aptdaemon in software-center.log. If the transaction
failure was associated with a private PPA, the username and password
details will be included in the message from aptdaemon and so will be
included in the log. Since this log can potentially be exposed in a bug
report, we should obfuscate these details in both the log message and
also in the corresponding dialog that is displayed for the error (since
a screenshot of the dialog could potentially be attached to a bug as well).

TEST CASE for Maverick and Natty SRUs:

1. (For Maverick) Update to Software Center 3.0.10 in maverick-proposed.
   -or-
1. (For Natty) Update to Software Center 4.0.5 in natty-proposed.
2. Open Software Center, navigate to the "For Purchase" section and purchase an item (or simply reinstall a previously purchased item if you have one). Note that a larger package download will make verification easier it provides more time to interrupt the download in progress to induce the failure mode. Note that Steel Storm: Burning Retribution is a ~690MB download and is priced at $4.99, making it a good candidate for this test (but any purchased package will do).
3. After the package download has begun and during the download itself, shut off your network connection.
4. Wait for the transaction to time out (this takes a couple of minutes). The failure is indicated when the "Failed to download package files" error dialog appears.
5. In the error dialog, expand the "Details" section and verify that the username and password portions of the given URL are rendered as "hidden:hidden" (e.g. "Failed to fetch https://hidden:<email address hidden>/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2-data_2.00.02818-0maverick1_all.deb").
6. View the file ~/.cache/software-center.log, navigate to the end and find the error message. Again verify that the username and password portions of the given URLs are rendered as "hidden:hidden".

See original description
Revision history for this message
Gary Lasker (gary-lasker) wrote :

I am unsubscribing the security team as this is not technically a security vulnerability. I just set the option in order to have the bug opened as private by default. Thanks and sorry for the inconvenience.

Changed in software-center (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Gary Lasker (gary-lasker)
security vulnerability: yes → no
Revision history for this message
Gary Lasker (gary-lasker) wrote :

This bug was fixed in software-center version 4.1.7:

software-center (4.1.7) oneiric; urgency=low

  [ Aaron Peachey ]
  * Add fake-review API that can be used for GUI testing and
    automatic testing without actually hitting the network.
    Can be enabled with the SOFTWARE_CENTER_FAKE_REVIEW_API=1
    environment
  * add support to remove/modify reviews, this requires the
    new rnrserver in production

  [ Michael Vogt ]
  * merged lp:~aaronp/software-center/tests, many thanks
  * merged lp:~mvo/software-center/piston-sc-agent:
    This move the SoftwareCenterAgent support from restfulclient
    to piston-mini-client and adds a new SpawnHelper abstraction.
    It also adds a new SOFTWARE_CENTER_AGENT_INCLUDE_QA environment
    to get apps in QA (if you are in the right group)
  * remove get_http_proxy_string_from_gconf and remove python-gconf
    dependency

  [ Gary Lasker ]
  * merge lp:~evfool/software-center/smallfixes to fix up mouse click
    handling for LinkButton, many thanks to Robert Roth (LP: #796640)
  * merge lp:~mterry/software-center/drop-deja-dup courtesy Michael
    Terry, removes deja-dup from the featured apps list since it has
    been promoted to main
  * merge lp:~evfool/software-center/fixnavigation, fixes navigation
    error when searching (LP: #801114)
  * softwarecenter/ui/gtk/appview.py:
    - fix phantom install button in for purchase listview (LP: #801512)
  * softwarecenter/db/update.py:
    - add support for custom desktop key X-Ubuntu-Software-Center-Name
      for USC-specific display names (LP: #801197)
  * softwarecenter/ui/gtk/appdetailsview_gtk.py:
    - don't start the indeterminate progress bar for purchase
      transactions until after the authentication dialog is closed
      (LP: #725181)
  * softwarecenter/utils.py,
    softwarecenter/backend/aptd.py,
    test/test_software_channels.py:
    - obfuscate private ppa details in the error log output and in
      the error dialog itself, add corresponding unit test

  [ Steve Langasek ]
  * debian/control: point Vcs-Bzr field at the right branch.

 -- Michael Vogt <email address hidden> Mon, 04 Jul 2011 07:41:36 +0100

Changed in software-center (Ubuntu):
status: In Progress → Fix Released
Michael Vogt (mvo)
Changed in software-center (Ubuntu Maverick):
status: New → In Progress
Changed in software-center (Ubuntu Natty):
status: New → In Progress
Changed in software-center (Ubuntu Maverick):
importance: Undecided → High
Changed in software-center (Ubuntu Natty):
importance: Undecided → High
Revision history for this message
Chris Halse Rogers (raof) wrote :

SRU team ack: please accept into maverick-proposed.

The natty-proposed package has additional changes that I'm not yet convinced should be SRU'd. See bug #802919 for details.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Actually, Chris, there is one change that should not be accepted I think:

diff -Nru software-center-3.0.9/softwarecenter/version.py software-center-3.0.10/softwarecenter/version.py
--- software-center-3.0.9/softwarecenter/version.py 2011-06-16 07:53:33.000000000 +0000
+++ software-center-3.0.10/softwarecenter/version.py 2011-07-13 12:21:35.000000000 +0000
@@ -1,5 +1,5 @@

-VERSION='3.0.9'
+VERSION='3.0.10'
 CODENAME='maverick-proposed'
 DISTRO='Ubuntu'
-RELEASE='10.10'
+RELEASE='11.10'

I'm not sure where that RELEASE value is used, if at all, but it was accidentally changed to 11.10 in the natty upload as well.

Delaying accept until that is explained or reverted.

Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Gary, or anyone else affected,

Accepted software-center into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in software-center (Ubuntu Maverick):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hello Gary, or anyone else affected,

Accepted software-center into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in software-center (Ubuntu Natty):
status: In Progress → Fix Committed
Revision history for this message
Gary Lasker (gary-lasker) wrote :

Verified this fix in Software Center version 3.0.10 in maverick-proposed, per the given test case. The following is the output in SoftwareCenter.log and I will attach a screenshot showing the obfuscated details in the corresponding error dialog.

"2011-07-15 17:10:02,194 - softwarecenter.backend - ERROR - error in _on_trans_finished 'Error: Failed to download package files
Check your Internet connection.

Failed to fetch https://hidden:<email address hidden>/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2-data_2.00.02818-0maverick1_all.deb Operation too slow. Less than 10 bytes/sec transfered the last 120 seconds
Failed to fetch https://hidden:<email address hidden>/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2_2.00.02818-0maverick1_amd64.deb Couldn't resolve host 'private-ppa.launchpad.net'"

Thanks!

Revision history for this message
Gary Lasker (gary-lasker) wrote :
Revision history for this message
Gary Lasker (gary-lasker) wrote :

I also verified this fix in Software Center version 4.0.5 in natty-proposed, per the given test case. The following is the output in SoftwareCenter.log and I will attach a screenshot showing the obfuscated details in the corresponding error dialog.

"2011-07-15 17:41:26,589 - softwarecenter.backend - ERROR - error in _on_trans_finished 'Error: Failed to download package files
Check your Internet connection.

Failed to fetch https://hidden:<email address hidden>/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2-data_2.00.02818-0maverick1_all.deb Operation too slow. Less than 10 bytes/sec transfered the last 120 seconds
Failed to fetch https://hidden:<email address hidden>/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2_2.00.02818-0maverick1_amd64.deb Couldn't resolve host 'private-ppa.launchpad.net'"

Thanks!

Revision history for this message
Gary Lasker (gary-lasker) wrote :
Gary Lasker (gary-lasker)
description: updated
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-center - 3.0.10

---------------
software-center (3.0.10) maverick-proposed; urgency=low

  * softwarecenter/utils.py,
    softwarecenter/backend/aptd.py,
    test/test_software_channels.py:
    - obfuscate private ppa details in the error log output and in
      the error dialog itself, add corresponding unit test
      (LP: #807745)
 -- Gary Lasker <email address hidden> Fri, 08 Jul 2011 18:01:01 -0400

Changed in software-center (Ubuntu Maverick):
status: Fix Committed → Fix Released
Martin Pitt (pitti)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-center - 4.0.5

---------------
software-center (4.0.5) natty-proposed; urgency=low

  [ Aaron Peachey ]
  * softwarecenter/view/appdetailsview_gtk.py,
    softwarecenter/view/widgets/reviews.py:
    - fix duplication of reviews upon submitting a new
      review, completes the fix for LP: #794060

  [ Gary Lasker ]
  * softwarecenter/utils.py,
    softwarecenter/backend/aptd.py,
    test/test_software_channels.py:
    - obfuscate private ppa details in the error log output and in
      the error dialog itself, add corresponding unit test
      (LP: #807745)
  * merge lp:~evfool/software-center/nonetworkfixes, fixes two menu
    item network state bugs, many thanks to Robert Roth
    (LP: #802919, LP: #802920)
 -- Michael Vogt <email address hidden> Wed, 13 Jul 2011 14:24:50 +0200

Changed in software-center (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.