[Bug 1029021] Re: python implementation of apt-clone should remove usernames and passwords

Brian Murray brian at ubuntu.com
Wed Jul 25 17:29:29 UTC 2012 

This is the python script that utilizes apt clone and creates system
state files in /tmp for testing the SRU.

** Attachment added: "save-state.py"
   https://bugs.launchpad.net/ubuntu/+source/apt-clone/+bug/1029021/+attachment/3235728/+files/save-state.py

** Also affects: apt-clone (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: apt-clone (Ubuntu)
       Status: New => Fix Released

** Changed in: apt-clone (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt-clone in Ubuntu.
https://bugs.launchpad.net/bugs/1029021

Title:
  python implementation of apt-clone should remove usernames and
  passwords

Status in “apt-clone” package in Ubuntu:
  Fix Released
Status in “apt-clone” source package in Precise:
  In Progress

Bug description:
  As discovered in CVE-2012-0949 and CVE-2012-0950 update-manager was
  attaching usernames and passwords for apt sources entries in the
  system state information.  update-manager utilizes the python
  implementation of apt-clone to add information about the system state.
  The save state function of AptClone should have an option to remove
  usernames and passwords so that update-manager can include this
  essential information again.

  [Impact]
  It can be challenging to debug distribution upgrade bug reports without information regarding apt's state on the system trying to be upgraded.  apt-clone can provide useful information to facilitate debugging these bugs so we should include it.  While this is fixed in Quantal already we want to be able to help people upgrading to Quantal so should include this fix in Precise.

  [Test Case]
  1) Create a file /etc/apt/sources.list.d/my-ppa.list with a line like so:
  'deb http://bdmurray:g000dpassw0rd@ppa.launchpad.net/bdmurray/hda/ubuntu precise main'
  2) execute save-state.py attached to this bug report
  3) You'll have two files in /tmp/ unscrubbed-apt-clone_system_state.tar.gz and scrubbed-apt-clone_system_state.tar.gz
  With the version of apt-clone in precise the contents of both tar.gz's will be the same and you'll see your username and password in them.
  With the version of apt-clone from precise-proposed the content of tar.gz's will be different and in the scrubbed-apt-clone you will not see the username and password instead they will be replaced with USERNAME:PASSWORD.

  [Regression Potential]
  None with apt-clone itself as scrub_sources defaults to False.  The possibility for a regression exists with the update to update-manager.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt-clone/+bug/1029021/+subscriptions

More information about the foundations-bugs mailing list