rocketfuel-setup imports untrusted apt signing key (RCE via MITM)

Bug #1814206 reported by Andy Brody
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Andy Brody

Bug Description

The rocketfuel-setup script recommended for Launchpad development by installs unintended and untrusted third party apt signing keys into the system apt gpg keyring.

The script runs gpg --recv-keys 0A5174AF to fetch apt signing keys. Even when no attacker is present in a privileged network position, this installs two gpg keys into the apt keyring:

pub rsa1024 2008-12-18 [SC]
      2AF4 99CB 24AC 5F65 4614 0557 2D1F FB6C 0A51 74AF
uid [ unknown] Launchpad PPA for Launchpad Developers

pub rsa1024 2017-03-25 [C]
      A1C7 6307 FCC5 7636 C1EF 36E2 7761 A6A5 0A51 74AF
uid [ unknown] Totally Legit Signing Key <email address hidden>

An attacker in a privileged network position could use this third party key or another crafted key to subsequently install arbitrary altered packages on target Launchpad developer machines.

The script should instead fetch the key using the entire key fingerprint, otherwise the security of signed packages is reduced to the number of bits of key fingerprint used.

Tags: qa-ok
Revision history for this message
Andy Brody (abrody) wrote :

I'm unsure if proposing a branch merge is appropriate, but I made a patch here:

Revision history for this message
Colin Watson (cjwatson) wrote :

Please do propose a merge; thanks.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
assignee: nobody → Andy Brody (abrody)
tags: added: qa-needstesting
Changed in launchpad:
status: New → Fix Committed
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.