Bug 531838 - Recent PK update will silently install insecure packages
Summary: Recent PK update will silently install insecure packages
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: PackageKit
Version: 12
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Richard Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-29 16:08 UTC by James Antill
Modified: 2014-01-21 06:15 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-01-05 09:51:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description James Antill 2009-10-29 16:08:05 UTC
Description of problem:

 To "work around" BZ 529349 a recent PK patch _silently_ disables any remote repos. which can't be reached.
 This means that if a user tells PK to "install FOO" where FOO-1 was in Fedora 11 GA, and had a security bug in it, and FOO-2 is in updates ... PK could now silently install FOO-1.

 This is somewhat mitigated due to yum's behaviour of only throwing the error in bug 529349 when it has no repodata for a repo. and can't reach it. So the security problem is mostly limited to new installs and people who have done "yum clean all" type operations.

Version-Release number of selected component (if applicable):

http://kojipkgs.fedoraproject.org/packages/PackageKit/0.5.4/0.1.20091029git.fc12/

 Which contains the upstream patch:

commit 17cf7c2bfadef59690c0c96a6af18ae2fb3430a2
Author: Richard Hughes <richard>
Date:   Tue Oct 20 15:47:36 2009 +0100

    yum: disable repos that are not contactable

diff --git a/backends/yum/yumBackend.py b/backends/yum/yumBackend.py
index 8632e53..5625089 100755
--- a/backends/yum/yumBackend.py
+++ b/backends/yum/yumBackend.py
@@ -2667,6 +2667,13 @@ class PackageKitYumBackend(PackageKitBaseBackend, Package
                     continue
                 repo.metadata_expire = 60 * 60 * 1.5 # 1.5 hours, the default
 
+        # disable repos that are not contactable
+        for repo in self.yumbase.repos.listEnabled():
+            try:
+                repo.repoXML
+            except yum.Errors.RepoError, e:
+                self.yumbase.repos.disableRepo(repo.id)
+
         # should we suggest yum-complete-transaction?
         unfinished = yum.misc.find_unfinished_transactions(yumlibpath=self.yumb

Comment 1 Richard Hughes 2009-10-30 09:15:40 UTC
This isn't a security bug. I've talked with Seth about this. I've talked to Matthias about this. It's crazy to prevent any installs if a single repo is not available.

And from a real-life-point-of-view... when the last time fedora was available but not updates? I think you're making a mountain out of a molehill.

Comment 2 Tomas Hoger 2009-11-03 09:15:18 UTC
What is the plan here?  Will PK get some warning pop-up to notify users when some repo is disabled?  Should this remain private for now, given what's already in public bug 529349?

Comment 3 Richard Hughes 2009-11-03 12:21:50 UTC
Well, we could pop up a warning, although I think that would get pretty irritating and we've been trying to reduce the number of popups on the desktop, not make them happen every few minutes.

I really don't think this bug should be private, or even marked as a security bug.

Comment 4 seth vidal 2009-11-03 14:26:52 UTC
This reminds me of the security bug yum got dinged on last year. Essentially, we need to tell users and make sure they understand when things are inaccessible and that could be keeping them from getting security updates.

Silently disabling and continuing just means they won't know what they are not getting.

Comment 5 Tomas Hoger 2009-11-04 15:40:28 UTC
Opening this bug.

Comment 6 Bug Zapper 2009-11-16 14:36:24 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Richard Hughes 2010-01-05 09:51:26 UTC
commit aa7a41e1e9bde3848885c07c9feb59325c229743
Author: Richard Hughes <richard>
Date:   Tue Jan 5 09:49:38 2010 +0000

    yum: show a message to the user if the repo could not be reached. Fixes rh#531838

Comment 8 Fedora Update System 2010-01-05 11:03:40 UTC
PackageKit-0.5.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/PackageKit-0.5.6-1.fc12

Comment 9 Fedora Update System 2010-01-12 23:52:37 UTC
PackageKit-0.5.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.