rocketfuel-setup imports untrusted apt signing key (RCE via MITM)

Bug #1814206 reported by Andy Brody on 2019-02-01
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Undecided
Andy Brody

Bug Description

The rocketfuel-setup script recommended for Launchpad development by https://dev.launchpad.net/Running installs unintended and untrusted third party apt signing keys into the system apt gpg keyring.

The script runs gpg --recv-keys 0A5174AF to fetch apt signing keys. Even when no attacker is present in a privileged network position, this installs two gpg keys into the apt keyring:

pub rsa1024 2008-12-18 [SC]
      2AF4 99CB 24AC 5F65 4614 0557 2D1F FB6C 0A51 74AF
uid [ unknown] Launchpad PPA for Launchpad Developers

pub rsa1024 2017-03-25 [C]
      A1C7 6307 FCC5 7636 C1EF 36E2 7761 A6A5 0A51 74AF
uid [ unknown] Totally Legit Signing Key <email address hidden>

An attacker in a privileged network position could use this third party key or another crafted key to subsequently install arbitrary altered packages on target Launchpad developer machines.

The script should instead fetch the key using the entire key fingerprint, otherwise the security of signed packages is reduced to the number of bits of key fingerprint used.

https://bazaar.launchpad.net/~launchpad-pqm/launchpad/devel/view/head:/utilities/rocketfuel-setup

Andy Brody (abrody) wrote :

I'm unsure if proposing a branch merge is appropriate, but I made a patch here: https://bazaar.launchpad.net/~abrody/launchpad/rocketfuel-apt/revision/18871

Colin Watson (cjwatson) wrote :

Please do propose a merge; thanks.

Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
assignee: nobody → Andy Brody (abrody)
tags: added: qa-needstesting
Changed in launchpad:
status: New → Fix Committed
Colin Watson (cjwatson) on 2019-02-12
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2019-02-13
Changed in launchpad:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers