[Bug 701378] Re: update-manager seems to insecurely check if a file is valid
Brian Murray
brian at ubuntu.com
Tue Mar 26 22:05:05 UTC 2019
*** This bug is a duplicate of bug 1744318 ***
https://bugs.launchpad.net/bugs/1744318
** This bug has been marked a duplicate of bug 1744318
changelogs.ubuntu.com should be using HTTPS
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/701378
Title:
update-manager seems to insecurely check if a file is valid
Status in update-manager package in Ubuntu:
Confirmed
Bug description:
Binary package hint: update-manager-core
I think update-manager has a security problem:
# grep URI /etc/update-manager/meta-release | head -2
URI = http://changelogs.ubuntu.com/meta-release
URI_LTS = http://changelogs.ubuntu.com/meta-release-lts
Changelogs are checked over the url: http://changelogs.ubuntu.com
/meta-release where you will find something like this:
Dist: maverick
[..]
UpgradeTool: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz
UpgradeToolSignature: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz.gpg
Presumably, the UpgradeToolSignature is used to verify the
UpgradeTool.
So update-manager does two things:
* Gets a signature that verifies a file.
* Get a file.
* Checks the signature verifies the file.
But because this is happening over http without ssl, the signature or
the file or both can be replaced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/701378/+subscriptions
More information about the foundations-bugs
mailing list