← Back to team overview

touch-packages team mailing list archive

[Bug 1406268] Re: apt does not validate lists received from the network.

 

** Information type changed from Public to Public Security

** Changed in: apt (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1406268

Title:
  apt does not validate lists received from the network.

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  When loading update manager on my laptop, I noticed that it silently
  stopped and would not load or check for updates.

  Upon investigation I discovered the following error:-
  #apt-get update
  .
  .
  .
  Reading package lists... Error!
  E: Encountered a section with no Package: header
  E: Problem with MergeList /var/lib/apt/lists/extras.ubuntu.com_ubuntu_dists_trusty_main_i18n_Translation-en
  E: The package lists or status file could not be parsed or opened.
  #

  
  The cause of this was that, some time ago it had tried to update while on a network which had some filtering, and the content of a number of files inside the folder "/var/lib/apt/lists" contained a "pay wall" HTML screen.  I was however, no-longer connected to the network in question and the error persisted indefinitely until I manually removed the files which had the suspect content.

  eg. sudo rm /var/lib/apt/lists/extras.ubuntu.com*

  I see this as a significant security issue, since any user could
  connect to a public wifi point, and accidentally collect corrupted apt
  list data, either before signing on to a pay wall, or if they do not
  sign on, and after this _NO FURTHER UPDATES_ will be performed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1406268/+subscriptions