[Bug 1034834] Re: Captive WiFi portals corrupt package lists

Paul F boxjunk at hotmail.co.uk
Tue Sep 25 14:26:12 UTC 2012 

Still present in 12.04 LTS, Precise running apt 0.8.16

In my case the corrupted package list files in /var/lib/apt/lists are
caused by the router redirecting to an internal help page when it
realises that its internet connection is down. So, when a fetch is
attempted from, say gb.archive.ubuntu.com/ubuntu/dists/precise-
updates/universe/binary-i386/Packages when checking for updates what
comes back is the html source from the router's help page (example
attached -- line 52 contains the requested url).

It would appear that no sanity check is done on the returned data
leaving subsequent parse attempts to choke. The corrupted files remain
and may propagate (???) causing other update failures.

On a security note, it occurs to me that an attacker in control of the
router could return crafted files in place of apt's package lists to
introduce malware as part of the normal automated update process. I
trust checks are in place to prevent this???

** Attachment added: "Example corrupted package list file from /var/lib/apt/lists"
   https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1034834/+attachment/3341773/+files/gb.archive.ubuntu.com_ubuntu_dists_precise-updates_universe_binary-i386_Packages.IndexDiff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1034834

Title:
  Captive WiFi portals corrupt package lists

Status in “apt” package in Ubuntu:
  Confirmed

Bug description:
  I've dealt with several users reporting apt is broken. The cause is
  corrupted package lists in /var/lib/apt/lists/ caused by captive
  portals on WiFi networks that are returning HTTP 200 responses but
  with the content being the captive portal's login page.

  apt doesn't realise the content is invalid - it doesn't check the
  signature - before writing it to the system.

  This affects Precise users with apt 0.8.16.

  It shouldn't affect Quantal's 0.9.7 since that apparently checks the
  gpg signatures.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1034834/+subscriptions

More information about the foundations-bugs mailing list