Bug#666956: aptdaemon: diff for NMU version 0.43+bzr769-1.1

Luk Claes Mon, 02 Apr 2012 14:24:21 -0700

Package: aptdaemon
Version: 0.43+bzr769-1
Severity: normal
Tags: patch pending


Dear maintainer,

I've prepared an NMU for aptdaemon (versioned as 0.43+bzr769-1.1) to fix
the just released security issue and uploaded it to DELAYED/02. Please 
feel free to tell me if I should delay it longer.

Cheers

Luk

diff -Nru aptdaemon-0.43+bzr769/debian/changelog aptdaemon-0.43+bzr769/debian/changelog
--- aptdaemon-0.43+bzr769/debian/changelog	2012-03-05 16:14:52.000000000 +0100
+++ aptdaemon-0.43+bzr769/debian/changelog	2012-04-01 09:52:42.000000000 +0200
@@ -1,3 +1,10 @@
+aptdaemon (0.43+bzr769-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2012-0944: unnoticed installation of unauthenticated packages.
+
+ -- Luk Claes <l...@debian.org>  Sun, 01 Apr 2012 09:50:40 +0200
+
 aptdaemon (0.43+bzr769-1) unstable; urgency=low
 
   * New upstream snapshot
diff -Nru aptdaemon-0.43+bzr769/debian/patches/CVE-2012-0944.patch aptdaemon-0.43+bzr769/debian/patches/CVE-2012-0944.patch
--- aptdaemon-0.43+bzr769/debian/patches/CVE-2012-0944.patch	1970-01-01 01:00:00.000000000 +0100
+++ aptdaemon-0.43+bzr769/debian/patches/CVE-2012-0944.patch	2012-04-01 09:54:56.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix unnoticed installation of unauthenticated packages
+ Aptdaemon only checks for unauthenticated packages during the simulation of
+ a transaction. It should also check directly before applying the changes
+ to catch changes between the simulation and the application.
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131
+=== modified file 'aptdaemon/worker.py'
+--- old/aptdaemon/worker.py	2011-04-15 13:57:10 +0000
++++ new/aptdaemon/worker.py	2012-03-19 10:05:52 +0000
+@@ -899,9 +899,13 @@
+                                         pkg.name)
+         # Check if any of the cache changes get installed from an
+         # unauthenticated repository""
++        trans.unauthenticated = self._get_unauthenticated()
+         if not trans.allow_unauthenticated and trans.unauthenticated:
+             raise TransactionFailed(ERROR_PACKAGE_UNAUTHENTICATED,
+                                     " ".join(sorted(trans.unauthenticated)))
++        if trans.unauthenticated:
++            log.warn("unauthenticated packages but forcing install")
++
+         if trans.cancelled:
+             raise TransactionCancelled()
+         trans.cancellable = False
+
+
diff -Nru aptdaemon-0.43+bzr769/debian/patches/series aptdaemon-0.43+bzr769/debian/patches/series
--- aptdaemon-0.43+bzr769/debian/patches/series	2012-03-05 16:14:52.000000000 +0100
+++ aptdaemon-0.43+bzr769/debian/patches/series	2012-04-01 09:58:59.000000000 +0200
@@ -0,0 +1 @@
+CVE-2012-0944.patch

Bug#666956: aptdaemon: diff for NMU version 0.43+bzr769-1.1

Reply via email to