Launchpad.net

CVE 2009-1358

apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.

Related bugs and status

CVE-2009-1358 (Candidate) is related to these bugs:

Bug #356012: APT does not properly handle expired or revoked key signatures

		In	Importance	Status
356012	APT does not properly handle expired or revoked key signatures	apt (Ubuntu)	Medium	Fix Released
356012	APT does not properly handle expired or revoked key signatures	apt (Debian)	Unknown	Fix Released
356012	APT does not properly handle expired or revoked key signatures	apt (Ubuntu Dapper)	Medium	Fix Released
356012	APT does not properly handle expired or revoked key signatures	apt (Ubuntu Gutsy)	Medium	Won't Fix
356012	APT does not properly handle expired or revoked key signatures	apt (Ubuntu Hardy)	Medium	Fix Released
356012	APT does not properly handle expired or revoked key signatures	apt (Ubuntu Jaunty)	Medium	Fix Released
356012	APT does not properly handle expired or revoked key signatures	apt (Ubuntu Intrepid)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://bugs.launchpad...
SECUNIA: 34829
SECUNIA: 34832
CONFIRM: http://bugs.debian.org...
DEBIAN: DSA-1779
BID: 34630
SECUNIA: 34874
XF: apt-aptget-gpgv-securi...
UBUNTU: USN-762-1