Secure testing team - Apr 2009 - Bug#523213: /etc/cron.daily/apt does not check return code of date

Package: apt
Version: 0.7.20.2
Severity: grave
Tags: security patch
Justification: user security hole

The following is also being sent to oss-security at lists.openwall.com for
a CVE request.

Summary
-------
Systems in certain timezones with automatic updates enabled won''t be
upgraded on the first day of DST and some systems in affected timezones
could end up with automatic updates being disabled permanently. Normal
usage of apt is not affected.

Discovery credited to: Alexandre Martani

Public bug: https://launchpad.net/bugs/354793

The Problem
-----------
The problem arises because the date command errors out on dates/times
that are invalid. Eg, DST starts at 03:00 in the Central time zone of
the US:

$ date --date="2009-03-08 02:00:00"
date: invalid date `2009-03-08 02:00:00''

This is fine and in and of itself not a problem. However,
/etc/cron.daily/apt has:
    stamp=$(date --date=$(date -r $stamp --iso-8601) +%s)
    now=$(date --date=$(date --iso-8601) +%s)

''--iso-8601'' creates dates of the form YYYY-MM-DD. Since this
is then
fed into the date command, the hour, minute and second all default to
0. Some timezones start their DST at midnight, with America/Sao_Paulo as
one example. Eg, on a system configured to use the America/Sao_Paulo
timezone:

$ date --date=2009-10-18
date: invalid date `2009-10-18''

This condition causes ''delta=$(($now-$stamp))'' in
check_stamp() to fail
when $stamp is empty (returning non-zero) or for when $now is empty,
''$delta -ge $interval'' evaluates to false because delta is
negative
(return non-zero). Either condition results in all or part of the
automatic update process to not be performed.

Affected Users
--------------
For users in timezones with DST starting at midnight with automatic
updates enabled, this can lead to the following error conditions:

1. /etc/cron.daily/apt is run on the first day of the DST, resulting in
''$delta -ge $interval'' being negative because
''now'' is empty and the
automatic update is not run. The timestamps are not updated, so the
automatic update will occur normally the following day.

2. /etc/cron.daily/apt is run late in the day on the day prior to DST
(eg 23:59 on 2009-10-17) and finishes on the day of DST (eg one minute
later, at 01:00 on 2009-10-18). This will update the stamp files to have
the date of the DST. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.

3. A user using a non-affected timezone and has /etc/cron.daily/apt run
normally on the day of the DST. Sometime after that, but before
/etc/cron.daily/apt runs again, the user changes her timezone to an
affected timezone. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.

While all users in scenario ''1'' are affected, they will
eventually get
their updates. Though the number of users in ''2'' and
especially ''3'' are
presumed low, the impact for these users is very high, since the
expected, automatic security updates will never be applied.


The Fix
-------
The fix is simply to check the return codes of date, and return
''0'' if
the date for ''now'' fails, and remove the bad stamp file and
return ''0''
if the date for ''stamp'' fails. A patch is attached to the
Ubuntu bug,
though I have contacted the Debian and Ubuntu maintainer directly and he
is working on an update for the development releases of Debian and
Ubuntu.

Thanks,
Jamie


-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt depends on:
ii  debian-archive-keyring        2009.01.31 GnuPG archive keys of the Debian a
ii  libc6                         2.9-7      GNU C Library: Shared libraries
ii  libgcc1                       1:4.3.3-5  GCC support library
ii  libstdc++6                    4.3.3-5    The GNU Standard C++ Library v3

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                       <none>     (no description available)
pn  aptitude | synaptic | gnome-a <none>     (no description available)
ii  bzip2                         1.0.5-1    high-quality block-sorting file co
ii  dpkg-dev                      1.14.25    Debian package development tools
ii  lzma                          4.43-14    Compression method of 7z format in
pn  python-apt                    <none>     (no description available)

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 354793_v2.patch
Type: text/x-diff
Size: 1307 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090408/874ba831/attachment-0001.patch>