** Description changed: [Impact] When using an affected version of uaclient (any beta of v27) and using the `fix` command, the user could be shown a misleading message. Specifically, if the users machine has the system reboot required flag set, and then they use the `ua fix` command, uaclient will say that a reboot is required to complete the fix, even if that is not true. [Test case] To reproduce: 1. Launch a container: using focal here as an example + lxc launch ubuntu-daily:focal dev-f + + 2. Add the uaclient staging ppa: https://launchpad.net/~ua-client/+archive/ubuntu/staging + add-apt-repository ppa:ua-client/staging + apt-get update + + 3. Install version 27 beta 3 + apt install ubuntu-advantage-tools=27.0~20.04.1~beta3 + + 4. Make sure you have the latest version of curl installed + apt install curl + + 5. Touch the reboot-required file + sudo touch /var/run/reboot-required + + 6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1 + ua fix USN-4898-1 + + 7. See a message like this + + USN-4898-1: curl vulnerabilities + Found CVEs: + https://ubuntu.com/security/CVE-2021-22890 + https://ubuntu.com/security/CVE-2021-22876 + 1 affected package is installed: curl + (1/1) curl: + A fix is available in Ubuntu standard updates. + The update is already installed. + A reboot is required to complete fix operation. + ✘ USN-4898-1 is not resolved. + + + To see fixed version: + + 1. Launch a container: using focal here as an example lxc launch ubuntu-daily:focal dev-f - 2. Add the uaclient staging ppa: https://launchpad.net/~ua-client/+archive/ubuntu/staging - add-apt-repository ppa:ua-client/staging + 2. Add this ppa that contains the unreleased fix for this bug: https://launchpad.net/~orndorffgrant/+archive/ubuntu/uaclient-staging-27 + add-apt-repository ppa:orndorffgrant/uaclient-staging-27 apt-get update - 3. Install version 27 beta 3 - apt install ubuntu-advantage-tools=27.0~18.04.1~beta3 + 3. Install version 27 + apt install ubuntu-advantage-tools 4. Make sure you have the latest version of curl installed apt install curl 5. Touch the reboot-required file sudo touch /var/run/reboot-required 6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1 ua fix USN-4898-1 7. See a message like this TODO + [Where problems could occur] TODO [Discussion] TODO [Original Report] root@malefic:~# ua fix CVE-2021-3410 CVE-2021-3410: libcaca vulnerability https://ubuntu.com/security/CVE-2021-3410 1 affected package is installed: libcaca (1/1) libcaca: A fix is available in Ubuntu standard updates. The update is already installed. A reboot is required to complete fix operation. ✘ CVE-2021-3410 is not resolved. root@malefic:~# The line 'A reboot is required to complete fix operation.' may be partially true (i.e. a reboot is needed) for other reasons, but is not accurate in the context of this CVE. Both 'checkrestart' and 'needrestart' confirm that no running process is using the caca library. Looking at the code, it looks like it's looking at a global 'needs reboot' flag, unrelated to the specific fix operation. I'd argue that a) it shouldn't say 'to complete fix operation' and b) it shouldn't claim 'CVE-2021-3410 is not resolved'.
** Description changed: [Impact] When using an affected version of uaclient (any beta of v27) and using the `fix` command, the user could be shown a misleading message. Specifically, if the users machine has the system reboot required flag set, and then they use the `ua fix` command, uaclient will say that a reboot is required to complete the fix, even if that is not true. [Test case] To reproduce: 1. Launch a container: using focal here as an example lxc launch ubuntu-daily:focal dev-f 2. Add the uaclient staging ppa: https://launchpad.net/~ua-client/+archive/ubuntu/staging add-apt-repository ppa:ua-client/staging apt-get update 3. Install version 27 beta 3 apt install ubuntu-advantage-tools=27.0~20.04.1~beta3 4. Make sure you have the latest version of curl installed apt install curl 5. Touch the reboot-required file sudo touch /var/run/reboot-required 6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1 ua fix USN-4898-1 7. See a message like this USN-4898-1: curl vulnerabilities Found CVEs: https://ubuntu.com/security/CVE-2021-22890 https://ubuntu.com/security/CVE-2021-22876 1 affected package is installed: curl (1/1) curl: A fix is available in Ubuntu standard updates. The update is already installed. A reboot is required to complete fix operation. ✘ USN-4898-1 is not resolved. - To see fixed version: + To see the fixed version: 1. Launch a container: using focal here as an example - lxc launch ubuntu-daily:focal dev-f + lxc launch ubuntu-daily:focal dev-f 2. Add this ppa that contains the unreleased fix for this bug: https://launchpad.net/~orndorffgrant/+archive/ubuntu/uaclient-staging-27 - add-apt-repository ppa:orndorffgrant/uaclient-staging-27 - apt-get update + add-apt-repository ppa:orndorffgrant/uaclient-staging-27 + apt-get update 3. Install version 27 - apt install ubuntu-advantage-tools + apt install ubuntu-advantage-tools 4. Make sure you have the latest version of curl installed - apt install curl + apt install curl 5. Touch the reboot-required file - sudo touch /var/run/reboot-required + sudo touch /var/run/reboot-required 6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1 - ua fix USN-4898-1 + ua fix USN-4898-1 7. See a message like this - TODO + USN-4898-1: curl vulnerabilities + Found CVEs: + https://ubuntu.com/security/CVE-2021-22890 + https://ubuntu.com/security/CVE-2021-22876 + 1 affected package is installed: curl + (1/1) curl: + A fix is available in Ubuntu standard updates. + The update is already installed. + ✔ USN-4898-1 is resolved. [Where problems could occur] TODO [Discussion] TODO [Original Report] root@malefic:~# ua fix CVE-2021-3410 CVE-2021-3410: libcaca vulnerability https://ubuntu.com/security/CVE-2021-3410 1 affected package is installed: libcaca (1/1) libcaca: A fix is available in Ubuntu standard updates. The update is already installed. A reboot is required to complete fix operation. ✘ CVE-2021-3410 is not resolved. root@malefic:~# The line 'A reboot is required to complete fix operation.' may be partially true (i.e. a reboot is needed) for other reasons, but is not accurate in the context of this CVE. Both 'checkrestart' and 'needrestart' confirm that no running process is using the caca library. Looking at the code, it looks like it's looking at a global 'needs reboot' flag, unrelated to the specific fix operation. I'd argue that a) it shouldn't say 'to complete fix operation' and b) it shouldn't claim 'CVE-2021-3410 is not resolved'. ** Description changed: [Impact] When using an affected version of uaclient (any beta of v27) and using the `fix` command, the user could be shown a misleading message. Specifically, if the users machine has the system reboot required flag set, and then they use the `ua fix` command, uaclient will say that a reboot is required to complete the fix, even if that is not true. [Test case] To reproduce: 1. Launch a container: using focal here as an example lxc launch ubuntu-daily:focal dev-f 2. Add the uaclient staging ppa: https://launchpad.net/~ua-client/+archive/ubuntu/staging add-apt-repository ppa:ua-client/staging apt-get update 3. Install version 27 beta 3 apt install ubuntu-advantage-tools=27.0~20.04.1~beta3 4. Make sure you have the latest version of curl installed apt install curl 5. Touch the reboot-required file sudo touch /var/run/reboot-required 6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1 ua fix USN-4898-1 7. See a message like this USN-4898-1: curl vulnerabilities Found CVEs: https://ubuntu.com/security/CVE-2021-22890 https://ubuntu.com/security/CVE-2021-22876 1 affected package is installed: curl (1/1) curl: A fix is available in Ubuntu standard updates. The update is already installed. A reboot is required to complete fix operation. ✘ USN-4898-1 is not resolved. - To see the fixed version: 1. Launch a container: using focal here as an example lxc launch ubuntu-daily:focal dev-f 2. Add this ppa that contains the unreleased fix for this bug: https://launchpad.net/~orndorffgrant/+archive/ubuntu/uaclient-staging-27 add-apt-repository ppa:orndorffgrant/uaclient-staging-27 apt-get update 3. Install version 27 apt install ubuntu-advantage-tools 4. Make sure you have the latest version of curl installed apt install curl 5. Touch the reboot-required file sudo touch /var/run/reboot-required 6. Attempt to fix https://ubuntu.com/security/notices/USN-4898-1 ua fix USN-4898-1 7. See a message like this USN-4898-1: curl vulnerabilities Found CVEs: https://ubuntu.com/security/CVE-2021-22890 https://ubuntu.com/security/CVE-2021-22876 1 affected package is installed: curl (1/1) curl: A fix is available in Ubuntu standard updates. The update is already installed. ✔ USN-4898-1 is resolved. - [Where problems could occur] TODO [Discussion] - TODO + This bug doesn't actually exist outside of the v27 betas in the ua- + client/staging ppa. The number of users affected by this bug is very low + and almost entirely limited to those who were deliberately testing the + v27 betas. Because of this, the risk associated with fixing this bug is + predicted to be very low. [Original Report] root@malefic:~# ua fix CVE-2021-3410 CVE-2021-3410: libcaca vulnerability https://ubuntu.com/security/CVE-2021-3410 1 affected package is installed: libcaca (1/1) libcaca: A fix is available in Ubuntu standard updates. The update is already installed. A reboot is required to complete fix operation. ✘ CVE-2021-3410 is not resolved. root@malefic:~# The line 'A reboot is required to complete fix operation.' may be partially true (i.e. a reboot is needed) for other reasons, but is not accurate in the context of this CVE. Both 'checkrestart' and 'needrestart' confirm that no running process is using the caca library. Looking at the code, it looks like it's looking at a global 'needs reboot' flag, unrelated to the specific fix operation. I'd argue that a) it shouldn't say 'to complete fix operation' and b) it shouldn't claim 'CVE-2021-3410 is not resolved'. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926183 Title: 'ua fix' tells me to reboot with inaccurate message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1926183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
