apt-listchanges causes update-manager to appear to hang

Bug #995195 reported by Malcolm Scott
This bug affects 32 people
Affects Status Importance Assigned to Milestone
apt-listchanges (Ubuntu)
update-manager (Ubuntu)

Bug Description

If apt-listchanges is configured to show package changelogs, update-manager displays them in 'less' in a hidden terminal which waits for the user to quit and continue. There is no indication in update-manager that something off-screen is waiting for input. The only status message reads "Applying changes".

To continue, the user must click 'Details' then interact with apt-listchanges in the terminal.

Screenshots attached.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: update-manager 1:
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Sat May 5 18:51:55 2012
 com.ubuntu.update-manager check-new-release-ignore 'oneiric'
 com.ubuntu.update-manager first-run false
 com.ubuntu.update-manager launch-time 1336240007
 com.ubuntu.update-manager window-height 600
 com.ubuntu.update-manager window-width 600
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: Upgraded to precise on 2012-05-03 (2 days ago)

Revision history for this message
Malcolm Scott (malcscott) wrote :
Revision history for this message
Malcolm Scott (malcscott) wrote :
Changed in update-manager (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt-listchanges (Ubuntu):
status: New → Confirmed
Revision history for this message
Colan Schwartz (colan) wrote :

Also, now, I can't even click on "Details". When I do, nothing happens. No terminal opens.

Revision history for this message
Malcolm Scott (malcscott) wrote :

Colan: that's a different bug; please file a separate report.

Revision history for this message
Neal McBurnett (nealmcb) wrote :

Bug #787802 is the same bug, reported for Ubuntu 11.04 on the package apt-listchanges. One of these should presumably be a duplicate of the other.
According to that bug report, the synaptic tool handles this correctly, so presumably a similar approach could be used in update manager.

Revision history for this message
Lars Düsing (lars.duesing) wrote :

best solution would be: let apt-listchanges test if there is a terminal or not.
Should apt-listchanges added to this bug-report?

Revision history for this message
Richard Hansen (rhansen) wrote :

Marking as a security vulnerability: As noted in <https://bugs.launchpad.net/ubuntu/+source/apt-listchanges/+bug/787802/comments/9>, it's possible to get to a root shell from 'less' (the pager invoked by apt-listchanges). While 'less' is displaying the list of changes, type '!sh' (without the quotes) and hit enter. This allows a user that is authorized to do the org.debian.apt.upgrade-packages policykit action to invoke arbitrary commands as root.

Note that users are not required to type a password to run the org.debian.apt.upgrade-packages action (see <https://wiki.ubuntu.com/SecurityTeam/FAQ#Update_Manager_doesn.27t_prompt_for_security_updates>). This makes it possible for malware running as the authorized user to gain root access without knowing the password.

security vulnerability: no → yes
Revision history for this message
Malcolm Scott (malcscott) wrote :

Whilst that does sound problematic, surely that is a separate issue entirely? This bug is about the update manager hiding apt-listchanges; your bug seems to imply that apt-listchanges shouldn't use less without some restrictions in place.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.