--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: /etc/cron.daily/apt does not check return code of date
- From: Jamie Strandboge <jamie@ubuntu.com>
- Date: Wed, 08 Apr 2009 17:39:37 -0500
- Message-id: <20090408223937.8021.26855.reportbug@severus.strandboge.com>
Package: apt
Version: 0.7.20.2
Severity: grave
Tags: security patch
Justification: user security hole
The following is also being sent to oss-security@lists.openwall.com for
a CVE request.
Summary
-------
Systems in certain timezones with automatic updates enabled won't be
upgraded on the first day of DST and some systems in affected timezones
could end up with automatic updates being disabled permanently. Normal
usage of apt is not affected.
Discovery credited to: Alexandre Martani
Public bug: https://launchpad.net/bugs/354793
The Problem
-----------
The problem arises because the date command errors out on dates/times
that are invalid. Eg, DST starts at 03:00 in the Central time zone of
the US:
$ date --date="2009-03-08 02:00:00"
date: invalid date `2009-03-08 02:00:00'
This is fine and in and of itself not a problem. However,
/etc/cron.daily/apt has:
stamp=$(date --date=$(date -r $stamp --iso-8601) +%s)
now=$(date --date=$(date --iso-8601) +%s)
'--iso-8601' creates dates of the form YYYY-MM-DD. Since this is then
fed into the date command, the hour, minute and second all default to
0. Some timezones start their DST at midnight, with America/Sao_Paulo as
one example. Eg, on a system configured to use the America/Sao_Paulo
timezone:
$ date --date=2009-10-18
date: invalid date `2009-10-18'
This condition causes 'delta=$(($now-$stamp))' in check_stamp() to fail
when $stamp is empty (returning non-zero) or for when $now is empty,
'$delta -ge $interval' evaluates to false because delta is negative
(return non-zero). Either condition results in all or part of the
automatic update process to not be performed.
Affected Users
--------------
For users in timezones with DST starting at midnight with automatic
updates enabled, this can lead to the following error conditions:
1. /etc/cron.daily/apt is run on the first day of the DST, resulting in
'$delta -ge $interval' being negative because 'now' is empty and the
automatic update is not run. The timestamps are not updated, so the
automatic update will occur normally the following day.
2. /etc/cron.daily/apt is run late in the day on the day prior to DST
(eg 23:59 on 2009-10-17) and finishes on the day of DST (eg one minute
later, at 01:00 on 2009-10-18). This will update the stamp files to have
the date of the DST. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.
3. A user using a non-affected timezone and has /etc/cron.daily/apt run
normally on the day of the DST. Sometime after that, but before
/etc/cron.daily/apt runs again, the user changes her timezone to an
affected timezone. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.
While all users in scenario '1' are affected, they will eventually get
their updates. Though the number of users in '2' and especially '3' are
presumed low, the impact for these users is very high, since the
expected, automatic security updates will never be applied.
The Fix
-------
The fix is simply to check the return codes of date, and return '0' if
the date for 'now' fails, and remove the bad stamp file and return '0'
if the date for 'stamp' fails. A patch is attached to the Ubuntu bug,
though I have contacted the Debian and Ubuntu maintainer directly and he
is working on an update for the development releases of Debian and
Ubuntu.
Thanks,
Jamie
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages apt depends on:
ii debian-archive-keyring 2009.01.31 GnuPG archive keys of the Debian a
ii libc6 2.9-7 GNU C Library: Shared libraries
ii libgcc1 1:4.3.3-5 GCC support library
ii libstdc++6 4.3.3-5 The GNU Standard C++ Library v3
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
pn aptitude | synaptic | gnome-a <none> (no description available)
ii bzip2 1.0.5-1 high-quality block-sorting file co
ii dpkg-dev 1.14.25 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
pn python-apt <none> (no description available)
-- no debconf information
diff -Nru apt-0.7.20.2ubuntu5/debian/apt.cron.daily apt-0.7.20.2ubuntu6/debian/apt.cron.daily
--- apt-0.7.20.2ubuntu5/debian/apt.cron.daily 2009-03-30 08:21:21.000000000 -0500
+++ apt-0.7.20.2ubuntu6/debian/apt.cron.daily 2009-04-08 14:43:48.000000000 -0500
@@ -50,8 +50,25 @@
fi
# compare midnight today to midnight the day the stamp was updated
- stamp=$(date --date=$(date -r $stamp --iso-8601) +%s)
- now=$(date --date=$(date --iso-8601) +%s)
+ stamp_file="$stamp"
+ stamp=$(date --date=$(date -r $stamp_file --iso-8601) +%s 2>/dev/null)
+ if [ "$?" != "0" ]; then
+ # Due to some timezones returning 'invalid date' for midnight on
+ # certain dates (eg America/Sao_Paulo), if date returns with error
+ # remove the stamp file and return 0. See coreutils bug:
+ # http://lists.gnu.org/archive/html/bug-coreutils/2007-09/msg00176.html
+ rm -f "$stamp_file"
+ return 0
+ fi
+
+ now=$(date --date=$(date --iso-8601) +%s 2>/dev/null)
+ if [ "$?" != "0" ]; then
+ # As above, due to some timezones returning 'invalid date' for midnight
+ # on certain dates (eg America/Sao_Paulo), if date returns with error
+ # return 0.
+ return 0
+ fi
+
delta=$(($now-$stamp))
# intervall is in days,
--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 0.7.20.2+squeeze1
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:
apt-doc_0.7.20.2+squeeze1_all.deb
to pool/main/a/apt/apt-doc_0.7.20.2+squeeze1_all.deb
apt-transport-https_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/apt-transport-https_0.7.20.2+squeeze1_i386.deb
apt-utils_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/apt-utils_0.7.20.2+squeeze1_i386.deb
apt_0.7.20.2+squeeze1.dsc
to pool/main/a/apt/apt_0.7.20.2+squeeze1.dsc
apt_0.7.20.2+squeeze1.tar.gz
to pool/main/a/apt/apt_0.7.20.2+squeeze1.tar.gz
apt_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/apt_0.7.20.2+squeeze1_i386.deb
libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
to pool/main/a/apt/libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 05 May 2009 15:37:03 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.20.2+squeeze1
Distribution: testing-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-transport-https - APT https transport
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes:
apt (0.7.20.2+squeeze1) testing-security; urgency=high
.
* debian/apt.cron.daily:
- fix possible DST timestamp releated auto-update problem
(CVE-2009-1300, closes: #523213)
* methods/gpgv.cc:
- properly check for expired and revoked keys (closes: #433091)
Checksums-Sha1:
fe2ce2e9f49343fef4b371efbf3b2bf1e3f7b942 1256 apt_0.7.20.2+squeeze1.dsc
b8523f3cc7bb81355f4b6702a6e6efd2c2aa20dd 2044030 apt_0.7.20.2+squeeze1.tar.gz
e2f9c7fef94f911aba002490d57e3898f98ac4a5 99974 apt-doc_0.7.20.2+squeeze1_all.deb
7d9d3e0bd339a9db541602c73842291fc1a5dedd 124124 libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
9b242d6f1fe1f225c8b24fd548ccfb9298eb4bc1 1628232 apt_0.7.20.2+squeeze1_i386.deb
ee83f97fdb2dfffd0a07ed90fcfc1c3c89c2549b 109144 libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
d2eea9704693e4f0a4b4ff9424cd23e1366bbfe6 188466 apt-utils_0.7.20.2+squeeze1_i386.deb
2ae45b806c0b0cc8aa4e22040088be76a5e1a302 58674 apt-transport-https_0.7.20.2+squeeze1_i386.deb
Checksums-Sha256:
dd175ff29e5489eb8937170bfc851f538ef5483f894c62b507259389461ad209 1256 apt_0.7.20.2+squeeze1.dsc
6d5fd840fba4fb7baacd2802abf0a89588aaa0b0d64b90b28015ea272278003b 2044030 apt_0.7.20.2+squeeze1.tar.gz
bfafcb1b7dd33567cdd2314a22c113237a85fd1b27f5ef39434aeeb81cb3a982 99974 apt-doc_0.7.20.2+squeeze1_all.deb
e7eaa5f035e54c5c3a96adb78dd2965c8f4485c2d4428f738109a9a7d836d149 124124 libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
7ea5ceaf0fbae59613351a11cb222191f93c00edd0c31999b6afd42076d0866a 1628232 apt_0.7.20.2+squeeze1_i386.deb
00d4e5d4d342af6d31616aef595d0ce9bf1a9ed17b4e98767a96ea28c2ac6f21 109144 libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
23b2db6e64b80b0f2ef406d28e9af07878e12ff1a12c151fcfcf28e4c9261f33 188466 apt-utils_0.7.20.2+squeeze1_i386.deb
aeddbb1c88465fb199eb08db57247500093bbd1dde434dba6dea1d24a9d06f64 58674 apt-transport-https_0.7.20.2+squeeze1_i386.deb
Files:
337d5d3f86d65005905029eb272415bf 1256 admin important apt_0.7.20.2+squeeze1.dsc
7a68e55346cf8ec2cf2019e0959e5907 2044030 admin important apt_0.7.20.2+squeeze1.tar.gz
f7c4871dd7e7242fc04c15c0ca45dc7e 99974 doc optional apt-doc_0.7.20.2+squeeze1_all.deb
d7d02f781c56217438ecd176bee1a515 124124 doc optional libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
f6e27ef8e207a4660161cd71d8474487 1628232 admin important apt_0.7.20.2+squeeze1_i386.deb
aaeefc58ae6ca8d928bd7fdaddb86efa 109144 libdevel optional libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
5e7aba28edf7976597336c89545cefbf 188466 admin important apt-utils_0.7.20.2+squeeze1_i386.deb
fab50bd430585e9ac3128e041177448b 58674 admin optional apt-transport-https_0.7.20.2+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoAQb0ACgkQHYflSXNkfP9ZyQCgp3hPfN1XPMz/QrJ9khUArUY9
Z+IAnjSuBN3GVIBmOIzW85M/cVSirnlh
=WAqS
-----END PGP SIGNATURE-----
--- End Message ---