← Back to team overview

touch-packages team mailing list archive

[Bug 1007791] Re: Security issue in PackageKit

 

lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: packagekit (Ubuntu Lucid)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1007791

Title:
  Security issue in PackageKit

Status in packagekit package in Ubuntu:
  Fix Released
Status in packagekit source package in Lucid:
  Won't Fix
Status in packagekit source package in Natty:
  Won't Fix
Status in packagekit source package in Oneiric:
  Won't Fix
Status in packagekit source package in Precise:
  Triaged
Status in packagekit source package in Quantal:
  Fix Released
Status in packagekit package in Debian:
  Fix Released

Bug description:
  Hi!
  The Aptcc backend in PackageKit saves the changelog to a predictable location in /tmp. As packagekitd is running as root, bad people could just add a symlink named like the file in /tmp (e.g. to /etc/shadow)  to screw up the system.
  I fixed this in Debian already, you might want to take the patch (02_aptcc-changelog-random-dir.patch) from there and apply it to Precise, if possible.
  For Quantal, please merge/sync packagekit 0.7.4-4 from Debian Sid, which contains the patch and some other improvements.
  Cheers,
     Matthias

  UPDATE: The same also applies for our Debconf handling. While the changelog-issue is fixed, this issue is still valid for debconf sockets.
  I therefore reopened this bug on Quantal and linked the Debian issue, which will be fixed soon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1007791/+subscriptions