I'm not sure why I couldn't convince the security team that this is a security issue. The ability for an attacker to write arbitrary information to your software update database sounds like a pretty darn big security flaw.
Bryan Harris, PE Research Engineer Structures and Materials Evaluation Group University of Dayton Research Institute bryan.har...@udri.udayton.edu http://www.udri.udayton.edu/ (937) 229-5561 On Thu, Mar 20, 2014 at 3:04 PM, Bryan Harris <brywilhar...@gmail.com>wrote: > Even ignoring that fact that this is a huge security issue, a computer > connecting to free wifi at Starbucks should not irreversibly corrupt the > update process requiring manual intervention. > > Bryan Harris, PE > Research Engineer > Structures and Materials Evaluation Group > University of Dayton Research Institute > bryan.har...@udri.udayton.edu > http://www.udri.udayton.edu/ > (937) 229-5561 > > > On Thu, Mar 20, 2014 at 3:01 PM, Bryan Harris <brywilhar...@gmail.com>wrote: > >> Yes, this bug is a PITA. I can't see why something as important as an >> update list isn't cryptographically verified. Heck, even a quick md5sum >> check would catch this 99.99999% of the time. >> >> Bryan Harris, PE >> Research Engineer >> Structures and Materials Evaluation Group >> University of Dayton Research Institute >> bryan.har...@udri.udayton.edu >> http://www.udri.udayton.edu/ >> (937) 229-5561 >> >> >> On Thu, Mar 20, 2014 at 2:17 PM, Monsta <756...@bugs.launchpad.net>wrote: >> >>> ** Bug watch added: Debian Bug tracker #710229 >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710229 >>> >>> ** Also affects: apt (Debian) via >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710229 >>> Importance: Unknown >>> Status: Unknown >>> >>> -- >>> You received this bug notification because you are subscribed to a >>> duplicate bug report (1055614). >>> https://bugs.launchpad.net/bugs/756317 >>> >>> Title: >>> Captive portals may corrupt apt package lists >>> >>> Status in "apt" package in Ubuntu: >>> Confirmed >>> Status in "apt" package in Debian: >>> Unknown >>> >>> Bug description: >>> I have an adsl modem which returns an html page if the adsl link is >>> broken. This page ends as the content of the apt cache files stored in >>> /var/lib/apt/lists, which breaks apt. >>> >>> The only way to make apt work again is to delete all the files stored >>> in /var/lib/apt/lists. >>> >>> To manage notifications about this bug go to: >>> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/756317/+subscriptions >>> >> >> > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/756317 Title: Captive portals may corrupt apt package lists To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/756317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
