rocketfuel-setup imports untrusted apt signing key (RCE via MITM)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Undecided
|
Andy Brody |
Bug Description
The rocketfuel-setup script recommended for Launchpad development by https:/
The script runs gpg --recv-keys 0A5174AF to fetch apt signing keys. Even when no attacker is present in a privileged network position, this installs two gpg keys into the apt keyring:
pub rsa1024 2008-12-18 [SC]
2AF4 99CB 24AC 5F65 4614 0557 2D1F FB6C 0A51 74AF
uid [ unknown] Launchpad PPA for Launchpad Developers
pub rsa1024 2017-03-25 [C]
A1C7 6307 FCC5 7636 C1EF 36E2 7761 A6A5 0A51 74AF
uid [ unknown] Totally Legit Signing Key <email address hidden>
An attacker in a privileged network position could use this third party key or another crafted key to subsequently install arbitrary altered packages on target Launchpad developer machines.
The script should instead fetch the key using the entire key fingerprint, otherwise the security of signed packages is reduced to the number of bits of key fingerprint used.
https:/
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
I'm unsure if proposing a branch merge is appropriate, but I made a patch here: https:/ /bazaar. launchpad. net/~abrody/ launchpad/ rocketfuel- apt/revision/ 18871