[Bug 1501177] [NEW] Updating kernel with update-manager without password

Marce marceqsqs at yahoo.es
Wed Sep 30 05:47:57 UTC 2015 

Public bug reported:

When using Software Updater (which I believe is software-manager) and
*updating the kernel*, password is usually requested. However, there is
a way to avoid it. This may be a security vulnerability.

If kernel packages are due for an update and all the updates are
performed at the same time, password is requested. On the other hand, if
updates are performed in a specific order, password is not requested.

How to reproduce it:

1. Update everything, except for the kernel related updates (please look
at http://ibin.co/2HOn2ZCX580d ).

2. Next, deselect everything and update "Complete Generic Linux kernel
and headers".

Then, the only update left is "Linux Kernel Headers for development",
which can be performed without password as well.

I have seen this behaviour in two machines, for a long time now.

Using Ubuntu 14.04.3
update-manager:
  Installed: 1:0.196.13
  Candidate: 1:0.196.13
  Version table:
 *** 1:0.196.13 0
        500 http://ar.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:0.196.11 0
        500 http://ar.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

** Affects: update-manager (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1501177

Title:
  Updating kernel with update-manager without password

Status in update-manager package in Ubuntu:
  New

Bug description:
  When using Software Updater (which I believe is software-manager) and
  *updating the kernel*, password is usually requested. However, there
  is a way to avoid it. This may be a security vulnerability.

  If kernel packages are due for an update and all the updates are
  performed at the same time, password is requested. On the other hand,
  if updates are performed in a specific order, password is not
  requested.

  How to reproduce it:

  1. Update everything, except for the kernel related updates (please
  look at http://ibin.co/2HOn2ZCX580d ).

  2. Next, deselect everything and update "Complete Generic Linux kernel
  and headers".

  Then, the only update left is "Linux Kernel Headers for development",
  which can be performed without password as well.

  I have seen this behaviour in two machines, for a long time now.

  Using Ubuntu 14.04.3
  update-manager:
    Installed: 1:0.196.13
    Candidate: 1:0.196.13
    Version table:
   *** 1:0.196.13 0
          500 http://ar.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1:0.196.11 0
          500 http://ar.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1501177/+subscriptions

More information about the foundations-bugs mailing list