search

fititnt / AdHocSecurebox

AdHocSecurebox is an opinionated collection of scripts/docs to deal with sensitive data with average hardware and open source software. Work in progress.
The Unlicense
0 stars 0 forks source link

Potential bug on Tails v4.12 when installing .deb files [/usr/local/sbin/tails-additional-software apt-pre apt_hook_pre()] #12

Open fititnt opened 3 years ago

fititnt commented 3 years ago

See:

How to reproduce the error

wget https://go.microsoft.com/fwlink/?LinkID=760868 -O /tmp/vscode.deb
sudo apt update
sudo apt install /tmp/vscode.deb

complete log

amnesia@amnesia:~$ wget https://go.microsoft.com/fwlink/?LinkID=760868 -O /tmp/vscode.deb
--2020-10-23 15:59:58--  https://go.microsoft.com/fwlink/?LinkID=760868
Resolving go.microsoft.com (go.microsoft.com)... 88.221.62.148
Connecting to go.microsoft.com (go.microsoft.com)|88.221.62.148|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://update.code.visualstudio.com/latest/linux-deb-x64/stable [following]
--2020-10-23 16:00:01--  https://update.code.visualstudio.com/latest/linux-deb-x64/stable
Resolving update.code.visualstudio.com (update.code.visualstudio.com)... 51.144.164.215
Connecting to update.code.visualstudio.com (update.code.visualstudio.com)|51.144.164.215|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://az764295.vo.msecnd.net/stable/d2e414d9e4239a252d1ab117bd7067f125afd80a/code_1.50.1-1602600906_amd64.deb [following]
--2020-10-23 16:00:04--  https://az764295.vo.msecnd.net/stable/d2e414d9e4239a252d1ab117bd7067f125afd80a/code_1.50.1-1602600906_amd64.deb
Resolving az764295.vo.msecnd.net (az764295.vo.msecnd.net)... 152.199.19.160
Connecting to az764295.vo.msecnd.net (az764295.vo.msecnd.net)|152.199.19.160|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64463220 (61M) [application/x-debian-package]
Saving to: ‘/tmp/vscode.deb’

/tmp/vscode.deb                                      100%[=====================================================================================================================>]  61.48M   614KB/s    in 1m 52s  

2020-10-23 16:01:58 (562 KB/s) - ‘/tmp/vscode.deb’ saved [64463220/64463220]

amnesia@amnesia:~$ sudo apt update

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for amnesia: 
Hit:1 tor+http://sdscoq7snqtznauu.onion/torproject.org buster InRelease                                                                                                                                           
Hit:2 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease                                                              
Hit:3 tor+http://umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion 4.12 InRelease         
Hit:4 tor+http://vwakviie2ienjx6t.onion/debian bullseye InRelease                                      
Hit:5 tor+http://vwakviie2ienjx6t.onion/debian buster-backports InRelease        
Hit:6 tor+http://vwakviie2ienjx6t.onion/debian sid InRelease                     
Hit:7 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease                 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.
amnesia@amnesia:~$ sudo apt install /tmp/vscode.deb
[sudo] password for amnesia: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'code' instead of '/tmp/vscode.deb'
The following package was automatically installed and is no longer required:
  libpcre2-posix0
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  code
0 upgraded, 1 newly installed, 0 to remove and 5 not upgraded.
Need to get 0 B/64.5 MB of archives.
After this operation, 276 MB of additional disk space will be used.
Get:1 /tmp/vscode.deb code amd64 1.50.1-1602600906 [64.5 MB]
[INFO] Saving package changes
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 297, in __getitem__
    rawpkg = self._cache[key]
KeyError: 'code'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/sbin/tails-additional-software", line 672, in <module>
    apt_hook_pre()
  File "/usr/local/sbin/tails-additional-software", line 459, in apt_hook_pre
    if not apt_cache[package_name].is_installed:
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 299, in __getitem__
    raise KeyError('The cache has no package named %r' % key)
KeyError: "The cache has no package named 'code'"
E: Sub-process /usr/local/sbin/tails-additional-software apt-pre returned an error code (1)
E: Failure running script /usr/local/sbin/tails-additional-software apt-pre
amnesia@amnesia:~$
fititnt commented 3 years ago

/usr/lib/python3/dist-packages/apt/cache.py, around 299

    def __getitem__(self, key):
        # type: (object) -> Package
        """ look like a dictionary (get key) """
        try:
            key = str(key)
            rawpkg = self._cache[key]
        except KeyError:
            raise KeyError('The cache has no package named %r' % key)

        # It might be excluded due to not having a version or something
        if not self.__is_real_pkg(rawpkg):
            raise KeyError('The cache has no package named %r' % key)

        pkg = self._rawpkg_to_pkg(rawpkg)

        return pkg

/usr/local/sbin/tails-additional-software, line 415-466

def apt_hook_pre():
    """Subcommand to handle Dpkg::Pre-Install-Pkgs."""
    _exit_if_in_live_build()
    logging.info("Saving package changes")

    apt_cache = apt.cache.Cache()

    installed_packages = []
    removed_packages = []

    line = sys.stdin.readline()
    if not line.startswith("VERSION 3"):
        raise ASPDataError("APT data is not version 3")
    line = sys.stdin.readline()
    # Ignore configuration space, which ends with an empty line
    while line != "\n":
        line = sys.stdin.readline()
    # Package action lines
    for line in sys.stdin:
        # Package action lines consist of five fields in Version 2: package
        # name (without architecture qualification even if foreign), old
        # version, direction of version change (< for upgrades, > for
        # downgrades, = for no change), new version, action. The version
        # fields are "-" for no version at all (for example when installing
        # a package for the first time; no version is treated as earlier
        # than any real version, so that is an upgrade, indicated as - <
        # 1.23.4). The action field is "**CONFIGURE**" if the package is
        # being configured, "**REMOVE**" if it is being removed, or the
        # filename of a .deb file if it is being unpacked.
        #
        # In Version 3 after each version field follows the architecture of
        # this version, which is "-" if there is no version, and a field
        # showing the MultiArch type "same", "foreign", "allowed" or "none".
        # Note that "none" is an incorrect typename which is just kept to
        # remain compatible, it should be read as "no" and users are
        # encouraged to support both.
        #
        # Example:
        #
        # colordif - - none < 1.0.16-1 all none **CONFIGURE**
        package_name, old_version, old_arch, old_multiarch, direction, \
                new_version, new_arch, new_multiarch, action = line.split()
        if action.endswith(".deb"):
            # Filter packages that will only be upgraded
            if not apt_cache[package_name].is_installed:
                installed_packages.append(package_name)
        elif action.endswith("**REMOVE**"):
            removed_packages.append(package_name)

    result = {"installed": installed_packages, "removed": removed_packages}
    with open(ASP_STATE_PACKAGES, 'w') as f:
        json.dump(result, f)
fititnt commented 3 years ago

/usr/local/sbin/tails-additional-software, hotfix

sudo gedit /usr/local/sbin/tails-additional-software

original

        if action.endswith(".deb"):
            # Filter packages that will only be upgraded
            if not apt_cache[package_name].is_installed:
                installed_packages.append(package_name)

hofixed

We check if apt_cache[package_name] is valid before trying to check if is_installed

        if action.endswith(".deb"):
            # Filter packages that will only be upgraded
            if (package_name not in apt_cache) or apt_cache[package_name].is_installed:
                installed_packages.append(package_name)
fititnt commented 3 years ago

Even with previous hotfix, while it allow to install .deb files one time, if the user marked the software to automaticaly re-install, I think we hit another bug.

Screenshot from 2020-10-23 17-57-07

Tails seems to try to install vscode with sudo apt install code but since this was an deb file, thats not the right command.

While I agree that the hotfix would not solve 100% of the problem, it at least allow install .deb files once. Good. Not perfect, but at least good.