← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1926183] Re: 'ua fix' tells me to reboot with inaccurate message

 

The Hirsute Hippo has reached End of Life, so this bug will not be fixed
for that release.

** Changed in: ubuntu-advantage-tools (Ubuntu Hirsute)
       Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1926183

Title:
  'ua fix' tells me to reboot with inaccurate message

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Committed
Status in ubuntu-advantage-tools source package in Focal:
  Fix Committed
Status in ubuntu-advantage-tools source package in Groovy:
  Won't Fix
Status in ubuntu-advantage-tools source package in Hirsute:
  Won't Fix
Status in ubuntu-advantage-tools source package in Impish:
  Fix Released

Bug description:
  [Impact]

  When using an affected version of uaclient (any beta of v27) and using
  the `fix` command, the user could be shown a misleading message.
  Specifically, if the users machine has the system reboot required flag
  set, and then they use the `ua fix` command, uaclient will say that a
  reboot is required to complete the fix, even though uaclient didn't
  even have to install anything.

  [Test case]

  The following example will work on xenial, bionic, focal, and groovy.

  To reproduce on hirsute, use USN-4913-2 instead of USN-4898-1, and use
  node-underscore instead of curl in the instructions below.

  To reproduce:

  1. Launch a container: using focal here as an example
      lxc launch ubuntu-daily:focal dev-f

  2. Add the uaclient staging ppa: https://launchpad.net/~ua-client/+archive/ubuntu/staging
      add-apt-repository ppa:ua-client/staging
      apt-get update

  3. Install version 27 beta 3
      apt install ubuntu-advantage-tools=27.0~20.04.1~beta3

  4. Make sure you have the latest version of curl installed
      apt install curl

  5. Touch the reboot-required file
      sudo touch /var/run/reboot-required

  6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1
      ua fix USN-4898-1

  7. See a message like this

  USN-4898-1: curl vulnerabilities
  Found CVEs:
  https://ubuntu.com/security/CVE-2021-22890
  https://ubuntu.com/security/CVE-2021-22876
  1 affected package is installed: curl
  (1/1) curl:
  A fix is available in Ubuntu standard updates.
  The update is already installed.
  A reboot is required to complete fix operation.
  ✘ USN-4898-1 is not resolved.

  To see the fixed version:

  1. Launch a container: using focal here as an example
      lxc launch ubuntu-daily:focal dev-f

  2. Add this ppa that contains the unreleased fix for this bug: https://launchpad.net/~orndorffgrant/+archive/ubuntu/uaclient-staging-27
      add-apt-repository ppa:orndorffgrant/uaclient-staging-27
      apt-get update

  3. Install version 27
      apt install ubuntu-advantage-tools

  4. Make sure you have the latest version of curl installed
      apt install curl

  5. Touch the reboot-required file
      sudo touch /var/run/reboot-required

  6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1
      ua fix USN-4898-1

  7. See a message like this

  USN-4898-1: curl vulnerabilities
  Found CVEs:
  https://ubuntu.com/security/CVE-2021-22890
  https://ubuntu.com/security/CVE-2021-22876
  1 affected package is installed: curl
  (1/1) curl:
  A fix is available in Ubuntu standard updates.
  The update is already installed.
  ✔ USN-4898-1 is resolved.

  [Where problems could occur]

  The logic of when to show the reboot required message is still based
  on the system /var/run/reboot-required flag, and this fix adds
  additional complexity to our messaging logic after fixing a cve/usn.

  If this new logic isn't quite right, it may result in uaclient still
  saying that a reboot is required to complete a fix even when it isn't
  (for some other situation not in this bug).

  Or from the opposite direction: if the logic is wrong, it could result
  in uaclient failing to tell the user that a reboot is required to
  complete a fix, even when it is.

  More generally, the changeset is large and carries the risk of other
  unexpected issues. Any unexpected issues would be limited to uaclient
  behavior though.

  [Discussion]

  This bug doesn't actually exist outside of the v27 betas in the ua-
  client/staging ppa. The number of users affected by this bug is very
  low and almost entirely limited to those who were deliberately testing
  the v27 betas. Because of this, the risk associated with fixing this
  bug is predicted to be very low.

  [Original Report]

  root@malefic:~# ua fix CVE-2021-3410
  CVE-2021-3410: libcaca vulnerability
  https://ubuntu.com/security/CVE-2021-3410
  1 affected package is installed: libcaca
  (1/1) libcaca:
  A fix is available in Ubuntu standard updates.
  The update is already installed.
  A reboot is required to complete fix operation.
  ✘ CVE-2021-3410 is not resolved.
  root@malefic:~#

  The line 'A reboot is required to complete fix operation.' may be
  partially true (i.e. a reboot is needed) for other reasons, but is not
  accurate in the context of this CVE.  Both 'checkrestart' and
  'needrestart' confirm that no running process is using the caca
  library.  Looking at the code, it looks like it's looking at a global
  'needs reboot' flag, unrelated to the specific fix operation.  I'd
  argue that a) it shouldn't say 'to complete fix operation' and b) it
  shouldn't claim 'CVE-2021-3410 is not resolved'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1926183/+subscriptions