[Bug 756317] Re: Captive portals may corrupt apt package lists
Bryan
756317 at bugs.launchpad.net
Thu Mar 20 15:08:43 UTC 2014
I'm not sure why I couldn't convince the security team that this is a
security issue. The ability for an attacker to write arbitrary information
to your software update database sounds like a pretty darn big security
flaw.
Bryan Harris, PE
Research Engineer
Structures and Materials Evaluation Group
University of Dayton Research Institute
bryan.harris at udri.udayton.edu
http://www.udri.udayton.edu/
(937) 229-5561
On Thu, Mar 20, 2014 at 3:04 PM, Bryan Harris <brywilharris at gmail.com>wrote:
> Even ignoring that fact that this is a huge security issue, a computer
> connecting to free wifi at Starbucks should not irreversibly corrupt the
> update process requiring manual intervention.
>
> Bryan Harris, PE
> Research Engineer
> Structures and Materials Evaluation Group
> University of Dayton Research Institute
> bryan.harris at udri.udayton.edu
> http://www.udri.udayton.edu/
> (937) 229-5561
>
>
> On Thu, Mar 20, 2014 at 3:01 PM, Bryan Harris <brywilharris at gmail.com>wrote:
>
>> Yes, this bug is a PITA. I can't see why something as important as an
>> update list isn't cryptographically verified. Heck, even a quick md5sum
>> check would catch this 99.99999% of the time.
>>
>> Bryan Harris, PE
>> Research Engineer
>> Structures and Materials Evaluation Group
>> University of Dayton Research Institute
>> bryan.harris at udri.udayton.edu
>> http://www.udri.udayton.edu/
>> (937) 229-5561
>>
>>
>> On Thu, Mar 20, 2014 at 2:17 PM, Monsta <756317 at bugs.launchpad.net>wrote:
>>
>>> ** Bug watch added: Debian Bug tracker #710229
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710229
>>>
>>> ** Also affects: apt (Debian) via
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710229
>>> Importance: Unknown
>>> Status: Unknown
>>>
>>> --
>>> You received this bug notification because you are subscribed to a
>>> duplicate bug report (1055614).
>>> https://bugs.launchpad.net/bugs/756317
>>>
>>> Title:
>>> Captive portals may corrupt apt package lists
>>>
>>> Status in "apt" package in Ubuntu:
>>> Confirmed
>>> Status in "apt" package in Debian:
>>> Unknown
>>>
>>> Bug description:
>>> I have an adsl modem which returns an html page if the adsl link is
>>> broken. This page ends as the content of the apt cache files stored in
>>> /var/lib/apt/lists, which breaks apt.
>>>
>>> The only way to make apt work again is to delete all the files stored
>>> in /var/lib/apt/lists.
>>>
>>> To manage notifications about this bug go to:
>>> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/756317/+subscriptions
>>>
>>
>>
>
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/756317
Title:
Captive portals may corrupt apt package lists
Status in “apt” package in Ubuntu:
Confirmed
Status in “apt” package in Debian:
Unknown
Bug description:
I have an adsl modem which returns an html page if the adsl link is
broken. This page ends as the content of the apt cache files stored in
/var/lib/apt/lists, which breaks apt.
The only way to make apt work again is to delete all the files stored
in /var/lib/apt/lists.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/756317/+subscriptions
More information about the foundations-bugs
mailing list