[Bug 781132] Re: corrupted /var/lib/apt/lists

Jamie Strandboge jamie at ubuntu.com
Fri Jun 3 16:29:15 UTC 2011 

Thank you for using Ubuntu and reporting a bug. Based on the information you have provided, aptitude is correctly erroring out on the 'malformed' files, and should not be executing any code as a result. It is theoretically possible for a malicious server to improper files, but the signatures would not match. It might be possible to replay valid old files to prevent you from updating, but this is rather convoluted, is an old issue and fixed in Ubuntu (bug #247445). Replay attacks against security mirrors are also discussed here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897


** Bug watch added: Debian Bug tracker #499897
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897

** Changed in: aptitude (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptitude in Ubuntu.
https://bugs.launchpad.net/bugs/781132

Title:
  corrupted /var/lib/apt/lists

Status in “aptitude” package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: aptitude

  I was connected to a hotel WiFi system that requires you to register
  on a web page to get access.    My access had expired, and I ran
  "aptitude update" and aptitude happily sucked in the hotel's page that
  explains how to register for access, instead of the desired page
  describing packages.     This page ended up in
  /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_natty-
  security_main_i18n_Translation-en and other places.

  As a result, you get error messages, but it seems likely this could
  enable attacks on the system, if the web page were designed to be
  evil, instead of a WiFi registration page.

  Here's a sample error from aptitude search:
  E: Encountered a section with no Package: header
  E: Problem with MergeList /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_natty-security_main_binary-amd64_Packages
  E: The package lists or status file could not be parsed or opened.

  I attach one of the corrupted files (...security.ubuntu
  .com_ubuntu_dists_natty-security_main_binary-amd64_Packages).

  $ lsb_release -rd
  Description:	Ubuntu 11.04
  Release:	11.04
  gpk at nglap:~/notconnected$ 

  $ apt-cache policy aptitude
  E: Encountered a section with no Package: header
  E: Problem with MergeList /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_natty-security_main_i18n_Translation-en
  E: The package lists or status file could not be parsed or opened.
  gpk at nglap:~/notconnected$ 

  The system was up to date as of 7 May 2011.

More information about the foundations-bugs mailing list