group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 2012642] Re: apt_pkg configuration leaks in get_pkg_candidate_version

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2012642@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Apr 2023 01:33:17 -0000
Reply-to: Bug 2012642 <2012642@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package ubuntu-advantage-tools - 27.14.4~20.04

---------------
ubuntu-advantage-tools (27.14.4~20.04) focal; urgency=medium

  * Backport new upstream release: (LP: #2011477) to focal

ubuntu-advantage-tools (27.14.4) lunar; urgency=medium

  * timer: disable update_contract_info job (LP: #2015302)
  * livepatch: prevent livepatch from auto-enabling and subsequently failing
    on non-amd64 systems (LP: #2015241)

ubuntu-advantage-tools (27.14.3) lunar; urgency=medium

  * livepatch: prevent livepatch from auto-enabling and subsequently failing
    on interim releases (LP: #2013409)

ubuntu-advantage-tools (27.14.2~23.04.1) lunar; urgency=medium

  * status:
    - always use dpkg instead of lscpu for fetching architecture
      information (LP: #2012735)

ubuntu-advantage-tools (27.14.1~23.04.1) lunar; urgency=medium

  * New upstream release 27.14.1
    - apt: fix a configuration leak in the apt.get_pkg_candidate_version
      function (LP: #2012642)

ubuntu-advantage-tools (27.14~23.04.1) lunar; urgency=medium

  * d/ubuntu-advantage-tools.{postinst,postrm,preinst}:
    - migrate certain settings out of uaclient.conf to a new file managed by
      the pro config subcommand (LP: #2004280)
  * d/ubuntu-advantage-tools.postinst:
    - refactor PREVIOUS_PKG_VER as a global variable
    - simplify how we add notices
  * New upstream release 27.14 (LP: #2011477)
    - api: new u.unattended_upgrades.status.v1 endpoint for querying status of
      unattended upgrades
    - apt:
      + remove legacy apt-hook
      + deliver json apt-hook for interim releases
      + fix cloud identification logic in json apt-hook
      + make all calls to esm-cache isolated from system configuration
        (LP: #2008280)
      + only set up the esm cache on supported systems (LP: #2004018)
    - fix:
      + format the output to be more readable (LP: #1926182)
      + add option to attach during a fix without a token
      + verify if fixed version can be installed before trying (LP: #2006705)
    - livepatch: show warning if current kernel is not supported
    - locks: alert user about corrupted lock files (LP: #1996931)
    - logging: logs are now formatted as jsonlines
    - motd: remove esm-apps announcement
    - notices: new representation on disk as separate files (LP: #1987738)
    - realtime: remove ubuntu-realtime package on disablement
    - status:
      + removed contract info update check network call
      + no longer includes warnings about notices when non-root (LP: #2006138)
      + unattached status sends virt type to contract server for better
        resource availability calculation
    - timer jobs: add daily job to check for contract updates
    - yaml: always import distro-provided pyyaml (LP: #2007234, LP: #2007241)

 -- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx>  Thu, 06 Apr 2023
10:48:25 -0300

** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2012642

Title:
  apt_pkg configuration leaks in get_pkg_candidate_version

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  Users who import and run the uaclient.apt.get_pkg_candidate_version function will have their apt_pkg configuration pointed to the ubuntu-advantage-tools managed esm cache while running the same process.

  The fix is to use the same context manager used for security-status,
  which guarantees that the configuration is the same before and after
  u-a-t access any of the Caches.

  [Test Case]
  - On any release, in a Python interpreter:
  ```
  import apt
  from uaclient.apt import get_pkg_candidate_version
  print(len(apt.Cache()))
  v = get_pkg_candidate_version('vim') # arbitrary choice, may be any package
  print(len(apt.Cache()))
  ```

  The size of the Cache should match, before and after the function call.
  On u-a-t 27.14, this fails.

  [Regression Potential]
  If we fix this the wrong way, people may still get their apt_pkg config in a state they wouldn't expect for the specific python process they are running. This would be the same as not fixing it. Our test aims to mitigate the possibility of such thing happening.

  [Discussion]
  There is a really small chance of this bug happening, given there are no user flows including this function being called directly, and process isolation takes care of the rest. However, given the specificities of the apt and apt_pkg integration in u-a-t, it is important to fix this and cover any corner case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2012642/+subscriptions