Online service used by software center

Need to send long keyids to software-center to prevent MITM attack

Reported by Michael Vogt on 2012-09-19
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Software Center Agent
Critical
Anthony Lenton
aptdaemon (Ubuntu)
High
Unassigned
Oneiric
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Unassigned
Raring
High
Unassigned

Bug Description

In the subscriptions_for_me json and in the purchase json wgrant noticed that we use the short gpg keyids:
e.g. u'signing_key_id': u'1024r/75254d99'

These are vulnerable to man-in-the-middle attacks as its relatively easy to create collisions on them and sneak
in a different key into the keyring and compromise the system. Instead we need to send the long keyid. This
*should* be transparent to the client (but obviously we need to test that). It should send the long fingerprint,
e.g. 019A25FED88F961763935D7F129196470EB12F05 from http://launchpad.net/~mvo/+archive under
fingerprint

Michael Vogt (mvo) wrote :

This also affects aptdaemon, it is using:

        proc = subprocess.Popen(["/usr/bin/apt-key", "adv",
                                 "--keyserver", keyserver,
                                 "--recv", keyid], stderr=subprocess.STDOUT,
                                 stdout=subprocess.PIPE, close_fds=True)

Michael Vogt (mvo) wrote :

We need to port the software-properties fix for the key import to aptdaemon or fix the apt apt-key code.

Michael Vogt (mvo) on 2012-10-02
tags: added: ca-escalated
Changed in software-center-agent:
status: New → In Progress
importance: Undecided → Critical
importance: Critical → High
assignee: nobody → Anthony Lenton (elachuni)
importance: High → Critical
Michael Vogt (mvo) wrote :

To test you need to build the branch with bzr-buildpackage and install it.

Then run:
# aptdcon --keyserver=keyserver.ubuntu.com --add-vendor-key-from-keyserver=437D05B5

this should give you a error

# aptdon --add-vendor-key-from-keyserver=0xa1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 --keyserver=keyserver.ubuntu.com
 # apt-key list

Should work and show:
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid Debian Archive Automatic Signing Key (7.0/wheezy) <email address hidden>

in the apt-key list output.

Michael Vogt (mvo) wrote :

Same test as for precise.

Changed in aptdaemon (Ubuntu):
status: New → In Progress
importance: Undecided → High
Changed in software-center-agent:
status: In Progress → Fix Released
Michael Vogt (mvo) wrote :

Someone from the QA team like davmor2 should test a purchase in the software-center when this is applied to get a additional test.

Changed in aptdaemon (Ubuntu Raring):
status: In Progress → Fix Released
Changed in aptdaemon (Ubuntu Quantal):
status: New → Fix Released
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0962

Changed in aptdaemon (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in aptdaemon (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.43+bzr697-0ubuntu1.3

---------------
aptdaemon (0.43+bzr697-0ubuntu1.3) oneiric-security; urgency=low

  * SECURITY UPDATE: check downloaded keyid (LP: #1052789)
    - CVE-2012-0962
 -- Michael Vogt <email address hidden> Fri, 12 Oct 2012 16:20:20 +0200

Changed in aptdaemon (Ubuntu Oneiric):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.43+bzr805-0ubuntu7

---------------
aptdaemon (0.43+bzr805-0ubuntu7) precise-security; urgency=low

  * SECURITY UPDATE: check downloaded keyid (LP: #1052789)
    - CVE-2012-0962
 -- Michael Vogt <email address hidden> Fri, 12 Oct 2012 15:59:48 +0200

Changed in aptdaemon (Ubuntu Precise):
status: New → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers