update-manager seems to insecurely check if a file is valid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: update-manager-core
I think update-manager has a security problem:
# grep URI /etc/update-
URI = http://
URI_LTS = http://
Changelogs are checked over the url: http://
Dist: maverick
[..]
UpgradeTool: http://
UpgradeToolSign
Presumably, the UpgradeToolSign
So update-manager does two things:
* Gets a signature that verifies a file.
* Get a file.
* Checks the signature verifies the file.
But because this is happening over http without ssl, the signature or the file or both can be replaced.
affects: | update-manager-core (Ubuntu) → update-manager (Ubuntu) |
Since it's the signature (not a key), this is only vulnerable to freeze/rewind attacks. i.e. Only matching file/signature pairs can be replaced on the wire. It's not possible to replace the contents arbitrarily.