Public bug reported: As discovered in CVE-2012-0949 and CVE-2012-0950 update-manager was attaching usernames and passwords for apt sources entries in the system state information. update-manager utilizes the python implementation of apt-clone to add information about the system state. The save state function of AptClone should have an option to remove usernames and passwords so that update-manager can include this essential information again.
[Impact] It can be challenging to debug distribution upgrade bug reports without information regarding apt's state on the system trying to be upgraded. apt-clone can provide useful information to facilitate debugging these bugs so we should include it. While this is fixed in Quantal already we want to be able to help people upgrading to Quantal so should include this fix in Precise. [Test Case] 1) Create a file /etc/apt/sources.list.d/my-ppa.list with a line like so: 'deb http://bdmurray:[email protected]/bdmurray/hda/ubuntu precise main' 2) execute save-state.py attached to this bug report 3) You'll have two files in /tmp/ unscrubbed-apt-clone_system_state.tar.gz and scrubbed-apt-clone_system_state.tar.gz With the version of apt-clone in precise the contents of both tar.gz's will be the same and you'll see your username and password in them. With the version of apt-clone from precise-proposed the content of tar.gz's will be different and in the scrubbed-apt-clone you will not see the username and password instead they will be replaced with USERNAME:PASSWORD. [Regression Potential] None with apt-clone itself as scrub_sources defaults to False. The possibility for a regression exists with the update to update-manager. ** Affects: apt-clone (Ubuntu) Importance: Medium Status: Fix Released ** Affects: apt-clone (Ubuntu Precise) Importance: High Assignee: Brian Murray (brian-murray) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1029021 Title: python implementation of apt-clone should remove usernames and passwords To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-clone/+bug/1029021/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
