[Secure-testing-team] Bug#702241: gnome-packagekit: gpk-update-viewer does not update package index so falsely says is up to date.

Mon Mar 4 12:29:00 UTC 2013

Package: gnome-packagekit
Version: 3.4.2-2
Severity: serious
Tags: security
Justification: gpk-update-viewer does not update package index so falsely says is up to date - security issue.

Dear Maintainer,

Having installed debian wheezy rc-1, I was expecting to be notified of updates,
or even automatically install them, through gpk-prefs, as my settings were to
have it check and automatically install all updates every day. However, I did
not get any for a couple of days, and so I clicked "check now" on gpk-prefs and
it ran gpk-update-viewer, which told me that my software was up to date.

However, it wasn't up to date. I ran apt-get update in the terminal, and then
gpk-update-viewer again, and it then did have updates, which I could apply.

What I would have expected to happen would be that gpk-update-viewer would
resynchronise the package index files when it was run, or at least make it
obvious that this hadn't been done and that I should do this. The package index
files should definitely be updated hourly/daily/weekly (depending on gpk-
prefs), when the updates are checked for.

I have put this down as a security issue, as most people probably assume that
they will be either notified of (security) updates, or that they will
automatically receive them (especially given the settings in gpk-prefs), and
that if they go onto update-viewer and are told that all software is up to date
they don't need to worry about security updates, but their system won't be up
to date. This will mean that people will have avoidable security holes in their
system.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnome-packagekit depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.12.1-3
ii  gnome-packagekit-data                        3.4.2-2
ii  gnome-settings-daemon                        3.4.2+git20121218.7c1322-2
ii  libatk1.0-0                                  2.4.0-2
ii  libc6                                        2.13-38
ii  libcairo-gobject2                            1.12.2-3
ii  libcairo2                                    1.12.2-3
ii  libcanberra-gtk3-0                           0.28-6
ii  libcanberra0                                 0.28-6
ii  libdbus-1-3                                  1.6.8-1
ii  libdbus-glib-1-2                             0.100.1-1
ii  libfontconfig1                               2.9.0-7.1
ii  libgdk-pixbuf2.0-0                           2.26.1-1
ii  libglib2.0-0                                 2.33.12+really2.32.4-5
ii  libgtk-3-0                                   3.4.2-6
ii  libnotify4                                   0.7.5-1
ii  libpackagekit-glib2-14                       0.7.6-3
ii  libpango1.0-0                                1.30.0-1
ii  libsqlite3-0                                 3.7.13-1
ii  libupower-glib1                              0.9.17-1
ii  libx11-6                                     2:1.5.0-1
ii  packagekit                                   0.7.6-3

gnome-packagekit recommends no packages.

gnome-packagekit suggests no packages.

-- no debconf information