[Bug 933225] Re: DistUpgradeViewKDE broken since last security update

Thu Feb 16 18:37:52 UTC 2012

This bug was fixed in the package update-manager - 1:0.87.33

---------------
update-manager (1:0.87.33) hardy-security; urgency=low

  * REGRESSION FIX:
    - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
      return value handling. (LP: #933225)
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Thu, 16 Feb 2012 08:30:21 -0500

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/933225

Title:
  DistUpgradeViewKDE broken since last security update

Status in “update-manager” package in Ubuntu:
  Triaged
Status in “update-manager” source package in Lucid:
  Fix Released
Status in “update-manager” source package in Maverick:
  Fix Released
Status in “update-manager” source package in Natty:
  Fix Released
Status in “update-manager” source package in Oneiric:
  Fix Released
Status in “update-manager” source package in Precise:
  Triaged
Status in “update-manager” source package in Hardy:
  Fix Released

Bug description:
          copyXauth = tempfile.mkstemp("", "adept")
          if 'XAUTHORITY' in os.environ and os.environ['XAUTHORITY'] != copyXauth:
              shutil.copy(os.environ['XAUTHORITY'], copyXauth)
              os.environ["XAUTHORITY"] = copyXauth

  <apachelogger> can't load DistUpgradeViewKDE (coercing to Unicode: need string or buffer, tuple found)
  <apachelogger> bug 881541
  <ubottu> Launchpad bug 881541 in update-manager (Ubuntu) "DistUpgrade/DistUpgradeViewKDE.py uses mktemp -- which is insecure" [Medium,Fix released] https://launchpad.net/bugs/881541
  <apachelogger> http://docs.python.org/library/tempfile.html
  <apachelogger> mkstemp() returns a tuple containing an OS-level handle to an open file (as would be returned by os.open()) and the absolute pathname of that file, in that order.
  <apachelogger>             shutil.copy(os.environ['XAUTHORITY'], copyXauth)
  <apachelogger> I am the touple in your string <3

  	    print os.environ['XAUTHORITY'] => /tmp/kde-me/xauth-1000-_0
  	    print copyXauth => (13, '/tmp/adeptTXo9jf')

  Also: http://docs.python.org/library/shutil.html
  shutil.copy(src, dst)
  Copy the file src to the file or directory dst. If dst is a directory, a file with the same basename as src is created (or overwritten) in the directory specified. Permission bits are copied. src and dst are path names given as strings.

  Thank you for not reading documentation, no testing and getting me to
  waste time on this!

  I really heart this.... <3 broken software... see.

  "The guy who broke my upgrader now has to fix it and send me cookies"
  ~ Oscar Wild

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/933225/+subscriptions