This bug was fixed in the package ubuntu-advantage-tools - 30~16.04 --------------- ubuntu-advantage-tools (30~16.04) xenial; urgency=medium
* Backport new upstream release to xenial (LP: #2038461) ubuntu-advantage-tools (30) noble; urgency=medium * d/control: - add python3-apt as a build dependency - add the new ubuntu-pro-client-l10n binary package - recommend installing ubuntu-pro-client-l10n * d/po/*: - Makefile to build localization files to debian/po/usr/share/locale/ - update POTFILES.in to cover all translatable messages - remove old unused pot file - add new complete pot file for "ubuntu-pro" domain - add first Brazilian Portuguese translations * d/rules: - add step to build the translations * d/tests/control: - mark autopkgtests as superficial (GH: #2609) * d/ubuntu-advantage-tools.maintscript: - remove /etc/ubuntu-advantage/help_data.yaml * d/ubuntu-pro-client-l10n.install: - add install file for the new binary package * New upstream release 30 (LP: #2038461) - api: + add new backwards compatible plan steps to the v1 fix plan endpoints + improve information returned from the fix plan endpoints + new endpoint: u.pro.security.fix.cve.execute.v1 + new endpoint: u.pro.security.fix.usn.execute.v1 - apt: improve performance and consistency by refactoring the code to use the apt_pkg module - auto-attach: add newline to the MOTD message to separate it from other MOTD messages - contract: send information about variants to the contracts server - enable: update only service specific apt sources when enabling a service (GH: #1311) (GH: #1482) - esm: create static files to pin packages from esm-infra and esm-apps with higher priority (GH: #2580) - disable: + (experimental) add the --purge flag to the disable command, so users can remove all service related packages when disabling a service + show extra warnings when kernels are involved in the purge operation - files: Reduce race window when creating new files (LP: #2024204) - fips: add support to Jammy to prepare for when it is available - fips-preview: + add fips-preview as a new entitlement - github: add issue templates (GH: #2646) - internationalization: + add general internationalization support and templates + add initial sentence set for Brazilian Portuguese - logging: + add journald logging for the daemon and systemd timer + remove daemon and timer log files + standardize the logging calls through the codebase (GH: #2632) - systemd: change ubuntu-advantage.service type from 'notify' to 'simple', dropping the dependency on python3-systemd (LP: #2038417) (GH: #2692) - tests: + add scenarios where cloud-init is present but disabled (LP: #1938208) + change 'permission' to 'priority' when checking apt priority in tests (GH: #2719) -- Renan Rodrigo <renanrodr...@canonical.com> Tue, 07 Nov 2023 16:23:34 +0200 ** Changed in: ubuntu-advantage-tools (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/2024204 Title: Hardcoded path in /tmp written to by root Status in ubuntu-advantage-tools package in Ubuntu: Fix Released Status in ubuntu-advantage-tools source package in Xenial: Fix Released Status in ubuntu-advantage-tools source package in Bionic: Fix Released Status in ubuntu-advantage-tools source package in Focal: Fix Released Status in ubuntu-advantage-tools source package in Jammy: Fix Released Status in ubuntu-advantage-tools source package in Lunar: Fix Released Status in ubuntu-advantage-tools source package in Mantic: Fix Released Bug description: [ Impact ] Several race conditions were found in the u-a-t code, some where a file was being written in a hardcoded path in /tmp. This could leave way for attackers to insert malicious code in the client. [ Test Plan ] Functionality-wise, writing files is tested in the unit and integrations tests for ubuntu-advantage-tools, and should be covered in the verification of https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage- tools/+bug/2038461 As for this specific bug, one can verify that the /tmp path does not exist anymore, and check the change in the code to see how the race condition was addressed. [ Where problems could occur ] The race conditions were addressed with try-except blocks in python, so it is low risk as any exploit would be against python itself. The other problematic parts of the code is removed/moved and functionality is covered by tests, so no problem there. The risk we considered is that other flaws may be present and we may have not catched those as part of the discussions here. To mitigate that, we keep our tests up-to-date and try to improve code quality in each and every PR. [ Original Description ] I'm basing this report on src:ubuntu-advantage-tools 27.14.4 in Lunar. In uaclient/livepatch.py, state_files.livepatch_support_cache.write() via uaclient/files/state_files.py [livepatch_support_cache = DataObjectFile(directory=defaults.UAC_TMP_PATH)] via uaclients/defaults.py [UAC_TMP_PATH = "/tmp/ubuntu-advantage/"] writes to /tmp/ubuntu-advantage at a predictable path. It does rename the file in safely. An attacker could use a symlink attack to cause that to happen somewhere else though, I think? I don't see a clear path to a serious vulnerability, but I think it probably deserves a deeper look. This code is going away in an upcoming update to this package. I noticed it while reviewing this code being removed. But depending on its actual severity it might be worth a USN, so I'm flagging it here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2024204/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp