Ubuntu
update-manager package

update-manager leaks passwords to private PPAs in world readable log files

Bug #839094 reported by James Troup
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Fix Released
High
Michael Vogt
Ubuntu oneiric-updates
Oneiric
Fix Released
High
Michael Vogt
Ubuntu oneiric-updates

Bug Description

update-manager puts passwords to private PPA in world readable log
files, c.f.

| sdfsdsd@tuna:~$ grep -r private-ppa /var/log/dist-upgrade/20110901-1642/
| /var/log/dist-upgrade/20110901-1642/main.log:2011-09-01 16:35:03,768 DEBUG examining: 'deb https://elmo:<email address hidden>/commercial-ppa-uploaders/braid/ubuntu natty main #Added by software-center'
| /var/log/dist-upgrade/20110901-1642/main.log:2011-09-01 16:35:03,771 DEBUG entry '# deb https://elmo:<email address hidden>/commercial-ppa-uploaders/braid/ubuntu oneiric main #Added by software-center disabled on upgrade to oneiric' was disabled (unknown mirror)
| sdfsdsd@tuna:~$ groups
| sdfsdsd
| sdfsdsd@tuna:~$

Obviously, this is bad for any system that has more than one user.

Jean-Baptiste Lallement (jibel)
security vulnerability: no → yes
Changed in update-manager (Ubuntu Oneiric):
importance: Undecided → Medium
assignee: nobody → Canonical Foundations Team (canonical-foundations)
status: New → Confirmed
Colin Watson (cjwatson)
Changed in update-manager (Ubuntu Oneiric):
assignee: Canonical Foundations Team (canonical-foundations) → Michael Vogt (mvo)
importance: Medium → High
Kate Stewart (kate.stewart)
tags: added: rls-mgr-o-tracking
Steve Langasek (vorlon)
Changed in update-manager (Ubuntu Oneiric):
milestone: none → oneiric-updates
Michael Vogt (mvo)
Changed in update-manager (Ubuntu Oneiric):
status: Confirmed → In Progress
Michael Vogt (mvo)
Changed in update-manager (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.152.20

---------------
update-manager (1:0.152.20) oneiric; urgency=low

  * DistUpgrade/DistUpgradeQuirks.py:
    - increase the default cache size on a multiarch system to
      avoid potential crash in natty apt (LP: #854090)
  * DistUpgrade/DistUpgradeController.py, UpdateManager/Core/utils.py:
    - do not leak password from sources.list entries into the logfile
      (LP: #839094)
  * UpdateManager/UpdateManager.py:
    - do not crash if a package can not be put into "install" state,
      instead, just keep the old (unmarked) state (LP: #850482)
  * UpdateManager/DistUpgradeFetcher.py:
    - fix crash for changed gtk2 -> gtk3 API (LP: #859862)
  * UpdateManager/backend/InstallBackendAptdaemon.py:
    - remove debug output (LP: #855495)
 -- Michael Vogt <email address hidden> Fri, 30 Sep 2011 16:09:55 +0200

Changed in update-manager (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.