--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: /etc/cron.daily/apt does not check return code of date
- From: Jamie Strandboge <jamie@ubuntu.com>
- Date: Wed, 08 Apr 2009 17:39:37 -0500
- Message-id: <20090408223937.8021.26855.reportbug@severus.strandboge.com>
Package: apt
Version: 0.7.20.2
Severity: grave
Tags: security patch
Justification: user security hole
The following is also being sent to oss-security@lists.openwall.com for
a CVE request.
Summary
-------
Systems in certain timezones with automatic updates enabled won't be
upgraded on the first day of DST and some systems in affected timezones
could end up with automatic updates being disabled permanently. Normal
usage of apt is not affected.
Discovery credited to: Alexandre Martani
Public bug: https://launchpad.net/bugs/354793
The Problem
-----------
The problem arises because the date command errors out on dates/times
that are invalid. Eg, DST starts at 03:00 in the Central time zone of
the US:
$ date --date="2009-03-08 02:00:00"
date: invalid date `2009-03-08 02:00:00'
This is fine and in and of itself not a problem. However,
/etc/cron.daily/apt has:
stamp=$(date --date=$(date -r $stamp --iso-8601) +%s)
now=$(date --date=$(date --iso-8601) +%s)
'--iso-8601' creates dates of the form YYYY-MM-DD. Since this is then
fed into the date command, the hour, minute and second all default to
0. Some timezones start their DST at midnight, with America/Sao_Paulo as
one example. Eg, on a system configured to use the America/Sao_Paulo
timezone:
$ date --date=2009-10-18
date: invalid date `2009-10-18'
This condition causes 'delta=$(($now-$stamp))' in check_stamp() to fail
when $stamp is empty (returning non-zero) or for when $now is empty,
'$delta -ge $interval' evaluates to false because delta is negative
(return non-zero). Either condition results in all or part of the
automatic update process to not be performed.
Affected Users
--------------
For users in timezones with DST starting at midnight with automatic
updates enabled, this can lead to the following error conditions:
1. /etc/cron.daily/apt is run on the first day of the DST, resulting in
'$delta -ge $interval' being negative because 'now' is empty and the
automatic update is not run. The timestamps are not updated, so the
automatic update will occur normally the following day.
2. /etc/cron.daily/apt is run late in the day on the day prior to DST
(eg 23:59 on 2009-10-17) and finishes on the day of DST (eg one minute
later, at 01:00 on 2009-10-18). This will update the stamp files to have
the date of the DST. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.
3. A user using a non-affected timezone and has /etc/cron.daily/apt run
normally on the day of the DST. Sometime after that, but before
/etc/cron.daily/apt runs again, the user changes her timezone to an
affected timezone. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.
While all users in scenario '1' are affected, they will eventually get
their updates. Though the number of users in '2' and especially '3' are
presumed low, the impact for these users is very high, since the
expected, automatic security updates will never be applied.
The Fix
-------
The fix is simply to check the return codes of date, and return '0' if
the date for 'now' fails, and remove the bad stamp file and return '0'
if the date for 'stamp' fails. A patch is attached to the Ubuntu bug,
though I have contacted the Debian and Ubuntu maintainer directly and he
is working on an update for the development releases of Debian and
Ubuntu.
Thanks,
Jamie
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages apt depends on:
ii debian-archive-keyring 2009.01.31 GnuPG archive keys of the Debian a
ii libc6 2.9-7 GNU C Library: Shared libraries
ii libgcc1 1:4.3.3-5 GCC support library
ii libstdc++6 4.3.3-5 The GNU Standard C++ Library v3
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
pn aptitude | synaptic | gnome-a <none> (no description available)
ii bzip2 1.0.5-1 high-quality block-sorting file co
ii dpkg-dev 1.14.25 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
pn python-apt <none> (no description available)
-- no debconf information
diff -Nru apt-0.7.20.2ubuntu5/debian/apt.cron.daily apt-0.7.20.2ubuntu6/debian/apt.cron.daily
--- apt-0.7.20.2ubuntu5/debian/apt.cron.daily 2009-03-30 08:21:21.000000000 -0500
+++ apt-0.7.20.2ubuntu6/debian/apt.cron.daily 2009-04-08 14:43:48.000000000 -0500
@@ -50,8 +50,25 @@
fi
# compare midnight today to midnight the day the stamp was updated
- stamp=$(date --date=$(date -r $stamp --iso-8601) +%s)
- now=$(date --date=$(date --iso-8601) +%s)
+ stamp_file="$stamp"
+ stamp=$(date --date=$(date -r $stamp_file --iso-8601) +%s 2>/dev/null)
+ if [ "$?" != "0" ]; then
+ # Due to some timezones returning 'invalid date' for midnight on
+ # certain dates (eg America/Sao_Paulo), if date returns with error
+ # remove the stamp file and return 0. See coreutils bug:
+ # http://lists.gnu.org/archive/html/bug-coreutils/2007-09/msg00176.html
+ rm -f "$stamp_file"
+ return 0
+ fi
+
+ now=$(date --date=$(date --iso-8601) +%s 2>/dev/null)
+ if [ "$?" != "0" ]; then
+ # As above, due to some timezones returning 'invalid date' for midnight
+ # on certain dates (eg America/Sao_Paulo), if date returns with error
+ # return 0.
+ return 0
+ fi
+
delta=$(($now-$stamp))
# intervall is in days,
--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 0.6.46.4-0.1+etch1
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:
apt-doc_0.6.46.4-0.1+etch1_all.deb
to pool/main/a/apt/apt-doc_0.6.46.4-0.1+etch1_all.deb
apt-utils_0.6.46.4-0.1+etch1_i386.deb
to pool/main/a/apt/apt-utils_0.6.46.4-0.1+etch1_i386.deb
apt_0.6.46.4-0.1+etch1.dsc
to pool/main/a/apt/apt_0.6.46.4-0.1+etch1.dsc
apt_0.6.46.4-0.1+etch1.tar.gz
to pool/main/a/apt/apt_0.6.46.4-0.1+etch1.tar.gz
apt_0.6.46.4-0.1+etch1_i386.deb
to pool/main/a/apt/apt_0.6.46.4-0.1+etch1_i386.deb
libapt-pkg-dev_0.6.46.4-0.1+etch1_i386.deb
to pool/main/a/apt/libapt-pkg-dev_0.6.46.4-0.1+etch1_i386.deb
libapt-pkg-doc_0.6.46.4-0.1+etch1_all.deb
to pool/main/a/apt/libapt-pkg-doc_0.6.46.4-0.1+etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 19 Apr 2009 21:06:46 +0200
Source: apt
Binary: apt-utils libapt-pkg-doc libapt-pkg-dev apt-doc apt
Architecture: source all i386
Version: 0.6.46.4-0.1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes:
apt (0.6.46.4-0.1+etch1) oldstable-security; urgency=high
.
* debian/apt.cron.daily:
- fix possible DST timestap releated auto-update problem
(CVE-2009-1300, closes: #523213)
* methods/gpgv.cc:
- properly check for expired and revoked keys (closes: #433091)
Files:
c631100edac082afe2dddb28030ed6ff 1108 admin important apt_0.6.46.4-0.1+etch1.dsc
e6eaebb8a12f5243668ca56e65c8c71e 1798703 admin important apt_0.6.46.4-0.1+etch1.tar.gz
999f34683b7cb7818258ac1ebfca701c 89752 doc optional apt-doc_0.6.46.4-0.1+etch1_all.deb
b91e59e2e1093ecbe387ccc7e8111d73 112248 doc optional libapt-pkg-doc_0.6.46.4-0.1+etch1_all.deb
73f115b27de4fdf11af97e2b5afca613 1438190 admin important apt_0.6.46.4-0.1+etch1_i386.deb
6aa9a63c060eb0461b66f67e35ed20c7 84166 libdevel optional libapt-pkg-dev_0.6.46.4-0.1+etch1_i386.deb
7245c5ea84b1c4eefa816af20868a794 198392 admin important apt-utils_0.6.46.4-0.1+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJ7ZDZAAoJECIIoQCMVaAcYgQH+wXRkiChxfmz1vuiqDe1yx/K
a5T5c+zb/mrY1Q3M0zh/p0sB9xmE6XBC9c4UYEX3qLS/V0PJ4eND1DHyT8qBtm67
mB2G/+U0MDFB607l5vCIstSchgJP9XTLA7cdvTudQCgEihYhvXpySSzHNPcn+WHv
Bb5fTvcERQ7zVfjFv2tySyn/y5dwssqf0dwm625NuYc75oD1eVHZ+vpX1WVMHI4K
795kdmDE7X0/vbg0P6CIZn4xRo1P/JLuhzZt1f7facB0mCLnHphHKhB2e7vBHECu
OPqW9ryZsPDD34Zs/v0UPosYqFOwyrY8JMyJQog2/VljHqhAVB1/A4aZShLuwIw=
=9jPa
-----END PGP SIGNATURE-----
--- End Message ---