[Aptitude-devel] Bug#662983: When called by aptitude, apt-listbugs crash and precludes the package upgrade
Francesco Poli
invernomuto at paranoici.org
Wed Mar 7 23:01:29 UTC 2012
On Wed, 7 Mar 2012 22:31:18 +0100 Nicolas DEGAND wrote:
> On Wed, 7 Mar 2012 21:11:43 +0100 Francesco Poli wrote:
>
> > On Wed, 07 Mar 2012 20:17:19 +0100 Nicolas DEGAND wrote:
> >
> > > Package: apt-listbugs
> > > Version: 0.1.6
> > > Severity: important
> >
> > Hi Nicolas,
> > thanks for your bug report!
> >
> > >
> > > I try to upgrade packages with aptitude. When it calls apt-listbugs, it crashes with the following messages:
> > >
> > > Are you sure you want to install/upgrade the above packages? [Y/n/?/...] /usr/lib/ruby/1.8/open-uri.rb:32:in `initialize': No such device or address - /dev/tty (Errno::ENXIO)
> > > from /usr/lib/ruby/1.8/open-uri.rb:32:in `open_uri_original_open'
> > > from /usr/lib/ruby/1.8/open-uri.rb:32:in `open'
> > > from /usr/share/apt-listbugs/apt-listbugs/logic.rb:1053:in `tty'
> > > from /usr/share/apt-listbugs/apt-listbugs/logic.rb:1060:in `ask'
> > > from /usr/share/apt-listbugs/apt-listbugs/logic.rb:350:in `view'
> > > from /usr/sbin/apt-listbugs:415
> > > E: Le sous-processus /usr/sbin/apt-listbugs apt || exit 10 a renvoyé un code d'erreur (10)
> > > E: Failure running script /usr/sbin/apt-listbugs apt || exit 10
> > >
> > > Note that I am unable to answer to the question of the first line. Everything is outputted in one wave.
> >
> > How are you invoking aptitude?
> > Inside an su -c command as in
> >
> > su -c "aptitude safe-upgrade"
> >
> > by chance?
>
> Using the aptitude ncurses interface (invoking "aptitude") with my usual
> account. I type the root password when asked by aptitude.
Hello Aptitude Development Team, could you please take a look at bug
#662983 ?
I am suspecting that the issue is due to aptitude invoking commands
(that need to be run as root) with an "su -c command".
Do I understand correctly that this is what is done by src/ui.cc:499
of current git master HEAD (commit c3b706f3c921585c70d2fc15d75f0713762efae3)?
execl(root_program.c_str(), root_program.c_str(), "-c", cmdbuf.str
().c_str(), NULL);
If this is confirmed, then I am under the impression that this strategy
causes problems, due to a recently applied security fix for binary
package login: see bug #628843 where CVE-2005-4890 is fixed by removing
from the child process of "su -c command" the ability to open "/dev/tty"
as explained in message #20.
This seems to be confirmed by su man page, which says:
-c, --command COMMAND
Specify a command that will be invoked by the shell using its -c.
The executed command will have no controlling terminal. This option
cannot be used to execute interractive programs which need a
controlling TTY.
Well, apt-listbugs needs a controlling TTY for interactive use...
What could be done to make aptitude's ncurses interface and
apt-listbugs work better together?
(A) Should apt-listbugs try harder to detect whether a controlling TTY
is available and switch to a non-interactive failure mode, in case no
controlling TTY may be used?
(B) Could aptitude's ncurses interface behave differently to adapt to
the security fix for CVE-2005-4890? Should I reassign this bug report
(#662983) to aptitude?
Maybe both (A) and (B)?
I would greatly appreciate your advice and help.
Thanks for your time!
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/aptitude-devel/attachments/20120308/9e021d55/attachment.pgp>
More information about the Aptitude-devel
mailing list