[Bug 979426] Re: persistent MitM can truncate list of files passed as script command line arguments

Steve Langasek steve.langasek at canonical.com
Fri Apr 13 02:51:11 UTC 2012 

** Changed in: update-notifier (Ubuntu)
   Importance: Undecided => Medium

** Changed in: update-notifier (Ubuntu)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/979426

Title:
  persistent MitM can truncate list of files passed as script command
  line arguments

Status in “update-notifier” package in Ubuntu:
  Fix Committed

Bug description:
  This is a currently useless vulnerability from what I can see, but if
  someone is able to MitM an Ubuntu system for 3 days when running
  /usr/lib/update-notifier/package-data-downloader, it will be possible
  to remove files from the "script" command line:

  def record_failure(hook):
          """Record that the named hook has failed"""
          if hook_aged_out(hook):
                  permanent_failures.append(hook)
          else:
                  failures.append(hook)

  ...

                                          for i in range(len(files)):
                                                  print files[i]
                                                  dest_file = urllib.urlretrieve(files[i])[0]
                                                  output = subprocess.check_output(["sha256sum", dest_file])
                                                  output = output.split(' ')[0]
                                                  if output == sums[i]:
                                                          command.append(dest_file)
                                                  else:
                                                          record_failure(relfile)
                                                          break
                                          if relfile in failures:
                                                  break

                                          result =
  subprocess.call(command)

  
  If a file fails sha256 sums for 3 days, it will trigger "hook_aged_out", which means it will _not_ be added to the "failures" global, so the "if relfile in failures" test will fail, allowing the command to execute with only the subset of non-failed files, which does not seem to be the intended behavior.

  Currently both users of this feature (flashplugin-installer, ttf-
  mscorefonts-installer) seem to fail gracefully when lacking expected
  command line arguments. Regardless, this code should be fixed before
  more users come along and depend on the order of files, etc.

  Additionally it would be nice if sys.stdout.flush() was called before
  subprocess runs so that my cron email makes sense instead of freaking
  me out as badly next time:

  /etc/cron.daily/update-notifier-common:
  Installing from local file /tmp/tmp_Vt6St.gz
  Flash Plugin installed.
  http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_11.2.202.228.orig.tar.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/979426/+subscriptions

More information about the foundations-bugs mailing list