On Wed, 7 Mar 2012 22:31:18 +0100 Nicolas DEGAND wrote: > On Wed, 7 Mar 2012 21:11:43 +0100 Francesco Poli wrote: > > > On Wed, 07 Mar 2012 20:17:19 +0100 Nicolas DEGAND wrote: > > > > > Package: apt-listbugs > > > Version: 0.1.6 > > > Severity: important > > > > Hi Nicolas, > > thanks for your bug report! > > > > > > > > I try to upgrade packages with aptitude. When it calls apt-listbugs, it > > > crashes with the following messages: > > > > > > Are you sure you want to install/upgrade the above packages? [Y/n/?/...] > > > /usr/lib/ruby/1.8/open-uri.rb:32:in `initialize': No such device or > > > address - /dev/tty (Errno::ENXIO) > > > from /usr/lib/ruby/1.8/open-uri.rb:32:in `open_uri_original_open' > > > from /usr/lib/ruby/1.8/open-uri.rb:32:in `open' > > > from /usr/share/apt-listbugs/apt-listbugs/logic.rb:1053:in `tty' > > > from /usr/share/apt-listbugs/apt-listbugs/logic.rb:1060:in `ask' > > > from /usr/share/apt-listbugs/apt-listbugs/logic.rb:350:in `view' > > > from /usr/sbin/apt-listbugs:415 > > > E: Le sous-processus /usr/sbin/apt-listbugs apt || exit 10 a renvoyé un > > > code d'erreur (10) > > > E: Failure running script /usr/sbin/apt-listbugs apt || exit 10 > > > > > > Note that I am unable to answer to the question of the first line. > > > Everything is outputted in one wave. > > > > How are you invoking aptitude? > > Inside an su -c command as in > > > > su -c "aptitude safe-upgrade" > > > > by chance? > > Using the aptitude ncurses interface (invoking "aptitude") with my usual > account. I type the root password when asked by aptitude.
Hello Aptitude Development Team, could you please take a look at bug
#662983 ?
I am suspecting that the issue is due to aptitude invoking commands
(that need to be run as root) with an "su -c command".
Do I understand correctly that this is what is done by src/ui.cc:499
of current git master HEAD (commit c3b706f3c921585c70d2fc15d75f0713762efae3)?
execl(root_program.c_str(), root_program.c_str(), "-c", cmdbuf.str
().c_str(), NULL);
If this is confirmed, then I am under the impression that this strategy
causes problems, due to a recently applied security fix for binary
package login: see bug #628843 where CVE-2005-4890 is fixed by removing
from the child process of "su -c command" the ability to open "/dev/tty"
as explained in message #20.
This seems to be confirmed by su man page, which says:
-c, --command COMMAND
Specify a command that will be invoked by the shell using its -c.
The executed command will have no controlling terminal. This option
cannot be used to execute interractive programs which need a
controlling TTY.
Well, apt-listbugs needs a controlling TTY for interactive use...
What could be done to make aptitude's ncurses interface and
apt-listbugs work better together?
(A) Should apt-listbugs try harder to detect whether a controlling TTY
is available and switch to a non-interactive failure mode, in case no
controlling TTY may be used?
(B) Could aptitude's ncurses interface behave differently to adapt to
the security fix for CVE-2005-4890? Should I reassign this bug report
(#662983) to aptitude?
Maybe both (A) and (B)?
I would greatly appreciate your advice and help.
Thanks for your time!
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpq59s3qBSHs.pgp
Description: PGP signature
