Bug 531838

Summary: Recent PK update will silently install insecure packages
Product: [Fedora] Fedora Reporter: James Antill <james.antill>
Component: PackageKitAssignee: Richard Hughes <richard>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 12CC: mclasen, rhughes, richard, security-response-team
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-05 09:51:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Antill 2009-10-29 16:08:05 UTC
Description of problem:

 To "work around" BZ 529349 a recent PK patch _silently_ disables any remote repos. which can't be reached.
 This means that if a user tells PK to "install FOO" where FOO-1 was in Fedora 11 GA, and had a security bug in it, and FOO-2 is in updates ... PK could now silently install FOO-1.

 This is somewhat mitigated due to yum's behaviour of only throwing the error in bug 529349 when it has no repodata for a repo. and can't reach it. So the security problem is mostly limited to new installs and people who have done "yum clean all" type operations.

Version-Release number of selected component (if applicable):

http://kojipkgs.fedoraproject.org/packages/PackageKit/0.5.4/0.1.20091029git.fc12/

 Which contains the upstream patch:

commit 17cf7c2bfadef59690c0c96a6af18ae2fb3430a2
Author: Richard Hughes <richard>
Date:   Tue Oct 20 15:47:36 2009 +0100

    yum: disable repos that are not contactable

diff --git a/backends/yum/yumBackend.py b/backends/yum/yumBackend.py
index 8632e53..5625089 100755
--- a/backends/yum/yumBackend.py
+++ b/backends/yum/yumBackend.py
@@ -2667,6 +2667,13 @@ class PackageKitYumBackend(PackageKitBaseBackend, Package
                     continue
                 repo.metadata_expire = 60 * 60 * 1.5 # 1.5 hours, the default
 
+        # disable repos that are not contactable
+        for repo in self.yumbase.repos.listEnabled():
+            try:
+                repo.repoXML
+            except yum.Errors.RepoError, e:
+                self.yumbase.repos.disableRepo(repo.id)
+
         # should we suggest yum-complete-transaction?
         unfinished = yum.misc.find_unfinished_transactions(yumlibpath=self.yumb

Comment 1 Richard Hughes 2009-10-30 09:15:40 UTC
This isn't a security bug. I've talked with Seth about this. I've talked to Matthias about this. It's crazy to prevent any installs if a single repo is not available.

And from a real-life-point-of-view... when the last time fedora was available but not updates? I think you're making a mountain out of a molehill.

Comment 2 Tomas Hoger 2009-11-03 09:15:18 UTC
What is the plan here?  Will PK get some warning pop-up to notify users when some repo is disabled?  Should this remain private for now, given what's already in public bug 529349?

Comment 3 Richard Hughes 2009-11-03 12:21:50 UTC
Well, we could pop up a warning, although I think that would get pretty irritating and we've been trying to reduce the number of popups on the desktop, not make them happen every few minutes.

I really don't think this bug should be private, or even marked as a security bug.

Comment 4 seth vidal 2009-11-03 14:26:52 UTC
This reminds me of the security bug yum got dinged on last year. Essentially, we need to tell users and make sure they understand when things are inaccessible and that could be keeping them from getting security updates.

Silently disabling and continuing just means they won't know what they are not getting.

Comment 5 Tomas Hoger 2009-11-04 15:40:28 UTC
Opening this bug.

Comment 6 Bug Zapper 2009-11-16 14:36:24 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Richard Hughes 2010-01-05 09:51:26 UTC
commit aa7a41e1e9bde3848885c07c9feb59325c229743
Author: Richard Hughes <richard>
Date:   Tue Jan 5 09:49:38 2010 +0000

    yum: show a message to the user if the repo could not be reached. Fixes rh#531838

Comment 8 Fedora Update System 2010-01-05 11:03:40 UTC
PackageKit-0.5.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/PackageKit-0.5.6-1.fc12

Comment 9 Fedora Update System 2010-01-12 23:52:37 UTC
PackageKit-0.5.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.