group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #46231
[Bug 2024204] Re: Hardcoded path in /tmp written to by root
This bug was fixed in the package ubuntu-advantage-tools - 30~22.04
---------------
ubuntu-advantage-tools (30~22.04) jammy; urgency=medium
* Backport new upstream release to jammy (LP: #2038461)
ubuntu-advantage-tools (30) noble; urgency=medium
* d/control:
- add python3-apt as a build dependency
- add the new ubuntu-pro-client-l10n binary package
- recommend installing ubuntu-pro-client-l10n
* d/po/*:
- Makefile to build localization files to debian/po/usr/share/locale/
- update POTFILES.in to cover all translatable messages
- remove old unused pot file
- add new complete pot file for "ubuntu-pro" domain
- add first Brazilian Portuguese translations
* d/rules:
- add step to build the translations
* d/tests/control:
- mark autopkgtests as superficial (GH: #2609)
* d/ubuntu-advantage-tools.maintscript:
- remove /etc/ubuntu-advantage/help_data.yaml
* d/ubuntu-pro-client-l10n.install:
- add install file for the new binary package
* New upstream release 30 (LP: #2038461)
- api:
+ add new backwards compatible plan steps to the v1 fix plan endpoints
+ improve information returned from the fix plan endpoints
+ new endpoint: u.pro.security.fix.cve.execute.v1
+ new endpoint: u.pro.security.fix.usn.execute.v1
- apt: improve performance and consistency by refactoring the code to use
the apt_pkg module
- auto-attach: add newline to the MOTD message to separate it from other
MOTD messages
- contract: send information about variants to the contracts server
- enable: update only service specific apt sources when enabling a service
(GH: #1311) (GH: #1482)
- esm: create static files to pin packages from esm-infra and esm-apps with
higher priority (GH: #2580)
- disable:
+ (experimental) add the --purge flag to the disable command, so users
can remove all service related packages when disabling a service
+ show extra warnings when kernels are involved in the purge operation
- files: Reduce race window when creating new files (LP: #2024204)
- fips: add support to Jammy to prepare for when it is available
- fips-preview:
+ add fips-preview as a new entitlement
- github: add issue templates (GH: #2646)
- internationalization:
+ add general internationalization support and templates
+ add initial sentence set for Brazilian Portuguese
- logging:
+ add journald logging for the daemon and systemd timer
+ remove daemon and timer log files
+ standardize the logging calls through the codebase (GH: #2632)
- systemd: change ubuntu-advantage.service type from 'notify' to 'simple',
dropping the dependency on python3-systemd (LP: #2038417) (GH: #2692)
- tests:
+ add scenarios where cloud-init is present but disabled (LP: #1938208)
+ change 'permission' to 'priority' when checking apt priority in tests
(GH: #2719)
-- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx> Tue, 07 Nov 2023
16:23:42 +0200
** Changed in: ubuntu-advantage-tools (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2024204
Title:
Hardcoded path in /tmp written to by root
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Committed
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
Fix Released
Status in ubuntu-advantage-tools source package in Lunar:
Fix Released
Status in ubuntu-advantage-tools source package in Mantic:
Fix Released
Bug description:
[ Impact ]
Several race conditions were found in the u-a-t code, some where a
file was being written in a hardcoded path in /tmp. This could leave
way for attackers to insert malicious code in the client.
[ Test Plan ]
Functionality-wise, writing files is tested in the unit and
integrations tests for ubuntu-advantage-tools, and should be covered
in the verification of
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-
tools/+bug/2038461
As for this specific bug, one can verify that the /tmp path does not
exist anymore, and check the change in the code to see how the race
condition was addressed.
[ Where problems could occur ]
The race conditions were addressed with try-except blocks in python,
so it is low risk as any exploit would be against python itself. The
other problematic parts of the code is removed/moved and functionality
is covered by tests, so no problem there.
The risk we considered is that other flaws may be present and we may
have not catched those as part of the discussions here. To mitigate
that, we keep our tests up-to-date and try to improve code quality in
each and every PR.
[ Original Description ]
I'm basing this report on src:ubuntu-advantage-tools 27.14.4 in Lunar.
In uaclient/livepatch.py, state_files.livepatch_support_cache.write()
via uaclient/files/state_files.py [livepatch_support_cache =
DataObjectFile(directory=defaults.UAC_TMP_PATH)] via
uaclients/defaults.py [UAC_TMP_PATH = "/tmp/ubuntu-advantage/"] writes
to /tmp/ubuntu-advantage at a predictable path. It does rename the
file in safely. An attacker could use a symlink attack to cause that
to happen somewhere else though, I think? I don't see a clear path to
a serious vulnerability, but I think it probably deserves a deeper
look.
This code is going away in an upcoming update to this package. I
noticed it while reviewing this code being removed. But depending on
its actual severity it might be worth a USN, so I'm flagging it here.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2024204/+subscriptions
