[Bug 1001209] Re: When connected to a network with a catch-all HTTP filter, apt-get update corrupts the package lists

Paul F boxjunk at hotmail.co.uk
Tue Sep 25 14:24:04 UTC 2012 

Still present in 12.04 LTS, Precise running apt 0.8.16

In my case the corrupted package list files in /var/lib/apt/lists are
caused by the router redirecting to an internal help page when it
realises that its internet connection is down. So, when a fetch is
attempted from, say gb.archive.ubuntu.com/ubuntu/dists/precise-
updates/universe/binary-i386/Packages when checking for updates what
comes back is the html source from the router's help page (example
attached -- line 52 contains the requested url).

It would appear that no sanity check is done on the returned data
leaving subsequent parse attempts to choke. The corrupted files remain
and may propagate (???) causing other update failures.

On a security note, it occurs to me that an attacker in control of the
router could return crafted files in place of apt's package lists to
introduce malware as part of the normal automated update process. I
trust checks are in place to prevent this???

** Attachment added: "Example corrupted package list file from /var/lib/apt/lists"
   https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1001209/+attachment/3341765/+files/gb.archive.ubuntu.com_ubuntu_dists_precise-updates_universe_binary-i386_Packages.IndexDiff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1001209

Title:
  When connected to a network with a catch-all HTTP filter, apt-get
  update corrupts the package lists

Status in “apt” package in Ubuntu:
  Confirmed

Bug description:
  I need to log on through a webpage before I can access the internet on some networks.
  Before that all HTTP requests are forwarded to a log-on page.

  When apt-get update is being run in the background before this log-on
  has happened, it will corrupt the package lists with this log-on page.
  I need to manually remove multiple files in /var/lib/apt/lists/ then
  before I can rerun apt-get update.

  When apt-get update gets invalid data, it should not corrupt its
  package lists.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: apt 0.8.16~exp12ubuntu10
  Uname: Linux 3.4.0-rc5-drm-intel-test-20120511 x86_64
  ApportVersion: 2.0.1-0ubuntu7
  Architecture: amd64
  Date: Fri May 18 13:33:45 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120204)
  ProcEnviron:
   LANGUAGE=nl_NL
   TERM=xterm
   PATH=(custom, user)
   LANG=nl_NL.UTF-8
   SHELL=/bin/bash
  SourcePackage: apt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1001209/+subscriptions

More information about the foundations-bugs mailing list