unattended-upgrades fails to upgrade insecure packages

Indeed, this is a problem. I work on a proper fix now.

In the meantime my suggestion is to comment oneiric-updates in sources.list to avoid having these higher version number shadowing the security version.

Here is a quick fix, it will not work against debian though as it uses a different schema.

This should work fine in debian as well, it needs some testing against really old versions of python-apt though as there have been bugs in the past about the candidate selection (lucid, and particular hardy).

Michael -- thanks for the patch. There may be some corner cases that don't get picked up by the update in certain configurations. In order to notify anyone that might be affected, shall we issue a CVE and notify/announce on the ubuntu security mailing list? Hopefully this will resolve the issue. I know that some companies won't update unless they see these notifications, which might also be currently relying on the older/insecure package of unattended-updates as well. Thanks for the update! Cheers...

We don't generally consider bugs in package update tools to directly be a security issue. As such, we won't be publishing this as a security update, it should go through the proper SRU process.

The attachment "quick fix for ubuntu" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

OK. But just be advised that anyone running an LTS version of Ubuntu, that expect security updates to be installed via unattended-upgrades will be VULNERABLE to exploitation because updated packages are NOT being installed as expected. This has the potential to do much more harm to any system than a specific single package vulnerability, mainly because now the exposure is multiplied by the total number of packages not updated that contain vulnerabilities. In such a case, it could be hundreds of packages. In my specific case, it was around ~20 packages that were vulnerable.

So, in summary, anyone running an LTS release with this vulnerable package will remain vulnerable for up to five years because unattended-upgrades is not being tagged as a security vulnerability and not upgrading itself.

Also, this brings to light another attack on the packaging system as detailed below.

1) Security team announces major security issue in a package used by everyone (say libpam)
2) Security update released to public.
3) One hour later, a trusted insider posts an update to the same libpam package to fix some minor bugs.
4) Vulnerable systems never receive package update via unattended-upgrades and remain vulnerable for eternity due to improper package update selection process algorithm...

This could mean the libpam vulnerability is exploitable forever on the system! If that is what you think is acceptable, then OK!

This only happens if there is both a package in -security and a package in -updates. Typically, packages in -updates need to wait a week in -proposed before making their way to -updates. For most installations, unattended-upgrades will have updated to the package in -security before the more recent package would have appeared in -updates.

I understand that this may result in certain systems not being updated to the latest security releases, but this by itself is not typically what would be considered a security issue.

That being said, we may choose to publish it in the -security pocket once it's gone through the SRU process.

This bug was fixed in the package unattended-upgrades - 0.75

---------------
unattended-upgrades (0.75) unstable; urgency=low

  * add tests for compat mode and spaces in a origin
  * escape "," in the Allowed-Origins compat mode (LP: #824856)
  * merged lp:~mvo/unattended-upgrades/unshadow-versions, this will
    ensure that higher versions in a non-origin branch do not "shadow"
    the versions from a desired origin (LP: #891747)

 -- Michael Vogt <email address hidden> Tue, 22 Nov 2011 15:27:56 +0100

I prepared a fix for lucid now, its in:
$ bzr branch lp:ubuntu/lucid-proposed/unattended-upgrades
$ bzr-buildpackage
(or cd unattedned-upgrades ; sudo ./unatteded-upgrades)

Works fine for me in my test-vm, I push a SRU once the current version in -proposed moves to -updates).
Once that is done I will move to the other SRUs too.

Hello Kristian, or anyone else affected,

Accepted unattended-upgrades into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Hello Kristian, or anyone else affected,

Accepted unattended-upgrades into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

SRU verification for Lucid:
I have reproduced the problem with unattended-upgrades 0.55ubuntu6 in lucid-updates and have verified that the version of unattended-upgrades 0.55ubuntu7 in -proposed fixes the issue.

I used w3m as a victim package and with u-u from -proposed the version from -security is installed.
    w3m:
      Installé : 0.5.2-2.1ubuntu1.1
      Candidat : 0.5.2-2.1ubuntu1.2
     Table de version :
         0.5.2-2.1ubuntu1.2 0
            500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
     *** 0.5.2-2.1ubuntu1.1 0
            500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
            100 /var/lib/dpkg/status
         0.5.2-2.1ubuntu1 0
            500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages

Marking as verification-done

This bug was fixed in the package unattended-upgrades - 0.55ubuntu7

---------------
unattended-upgrades (0.55ubuntu7) lucid-proposed; urgency=low

  * backport lp:~mvo/unattended-upgrades/unshadow-versions
    to fix versions in -updates shadowing versions in -security
    (LP: #891747)
  * print conffile hold-backs to stdout to ensure its part of
    the cron mail (LP: #773007), thanks to Jean-Baptiste Lallement
 -- Michael Vogt <email address hidden> Wed, 30 Nov 2011 09:34:06 +0100

Resetting verification tag for the other releases.

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

The fix for this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

The version of unattended-upgrades in oneiric-proposed has been removed as the bugs it was fixing (including this one) were not verified in a timely fashion.

Brian -- wait a moment. Are you planning to reintroduce a security flaw
into Ubuntu?
On Mar 8, 2013 9:48 AM, "Brian Murray" <email address hidden> wrote:

> The version of unattended-upgrades in oneiric-proposed has been removed
> as the bugs it was fixing (including this one) were not verified in a
> timely fashion.
>
> ** Changed in: unattended-upgrades (Ubuntu Oneiric)
> Status: Fix Committed => Triaged
>
> ** Tags removed: verification-needed
>
> ** Tags removed: removal-candidate
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/891747
>
> Title:
> unattended-upgrades fails to upgrade insecure packages
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions
>

@Kristian -- no one performed the SRU verification steps as requested in comment #18 for Oneiric. Thus the fix was never pushed to Oneiric, and the problem has never been addressed there.

Please see this wiki page for more details about the SRU process:

    https://wiki.ubuntu.com/StableReleaseUpdates#Verification

Thanks

OK -- but realize that if you move forward, you are going to be
introducing a CRITICAL vulnerability affecting multiple packages
across the entire Ubuntu distribution.

On Fri, Mar 8, 2013 at 11:47 AM, Seth Arnold <email address hidden> wrote:
> @Kristian -- no one performed the SRU verification steps as requested in
> comment #18 for Oneiric. Thus the fix was never pushed to Oneiric, and
> the problem has never been addressed there.
>
> Please see this wiki page for more details about the SRU process:
>
> https://wiki.ubuntu.com/StableReleaseUpdates#Verification
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/891747
>
> Title:
> unattended-upgrades fails to upgrade insecure packages
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions

--
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristian.hermansen

@Kristian: he's not going to be introducing a vulnerability. The flaw in unattended-upgrades had never gotten fixed in Oneiric in the first place, so the vulnerability has always been present.

Since Oneiric is going end-of-life in a month or so, I don't think this is worth attempting to fix further. Users of Lucid, Precise and newer releases are already fixed.

Oh OK. Thank you. I just wanted to ensure that future releases are
being patched. Cheers...

On Fri, Mar 8, 2013 at 12:21 PM, Marc Deslauriers
<email address hidden> wrote:
> @Kristian: he's not going to be introducing a vulnerability. The flaw in
> unattended-upgrades had never gotten fixed in Oneiric in the first
> place, so the vulnerability has always been present.
>
> Since Oneiric is going end-of-life in a month or so, I don't think this
> is worth attempting to fix further. Users of Lucid, Precise and newer
> releases are already fixed.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/891747
>
> Title:
> unattended-upgrades fails to upgrade insecure packages
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/891747/+subscriptions

--
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristian.hermansen

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.