[Touch-packages] [Bug 1649352] Re: http direct to terminals?

[Launchpad Bug Tracker]

This bug was fixed in the package base-files - 9.6ubuntu9

---------------
base-files (9.6ubuntu9) zesty; urgency=medium

  * Fix LP: #1649352
    - use https://motd.ubuntu.com in the default file
    - enforce that every news server must be https
    - take at most the first 10 lines, and first 80 chars per line
    - remove all control characters (except newline)

 -- Dustin Kirkland <kirkl...@ubuntu.com>  Sat, 17 Dec 2016 09:19:53
-0600

** Changed in: base-files (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1649352

Title:
  http direct to terminals?

Status in base-files package in Ubuntu:
  Fix Released

Bug description:
  Hi Dustin,

  Some recent changes introduced what looks to be a serious problem:

  http://launchpadlibrarian.net/296647523/base-
  files_9.6ubuntu7_9.6ubuntu8.diff.gz

  -SERVER="https://motd.ubuntu.com";
  +# White space separated list of 0 to many news services
  +SERVER="http://motd.ubuntu.com";
  [...]
  +     if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" 
-o- "$s" >"$NEWS" 2>"$ERR"; then
  +             echo
  +             # At most, 2 lines of at most 80 characters
  +             cat "$NEWS" | tail -n 2 | cut -c -80

  This allows any network man-in-the-middle attacker, DNS response
  forger, or BGP forger, to write 160 raw bytes directly to terminals.

  The previous version wasn't good (open for abuse by anyone who could
  trick one of the myriad x.509 Certificate Authorities to mis-issue a
  certificate) but this version is open for abuse by significantly more
  attackers.

  While most terminals are reasonably safe against outright
  maliciousness this has been a recurring exploitation theme for twenty
  years, and even what is "safe" for them to display could be wildly
  confusing to users unfamiliar with maliciously controlled terminals.
  (And users have wide tastes in terminals, some are fairly brittle.)

  cat(1) does not do any filtering for 'safe' display of arbitrary
  inputs. less(1) does, assuming -r is not in LESS environment variable
  or the less(1) command line. If you wish to keep the pipeline, perhaps
  tr(1)'s -d flag could be useful.

  On a related note, is there a reason why the motd.ubuntu.com server
  can't do HTTPS?

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1649352/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp