apt-add-repository does not perform ssl verification where it *needs* to
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
software-properties (Ubuntu) |
Fix Released
|
High
|
Marc Deslauriers | ||
Lucid |
Fix Released
|
High
|
Marc Deslauriers | ||
Maverick |
Fix Released
|
High
|
Marc Deslauriers | ||
Natty |
Fix Released
|
High
|
Marc Deslauriers | ||
Oneiric |
Fix Released
|
High
|
Marc Deslauriers | ||
Precise |
Fix Released
|
High
|
Marc Deslauriers |
Bug Description
The python code in apt-add-repository makes use of the softwareproperties module, in particular the ppa.py file.
In the ppa.py file there is the following comment:
" The signing key fingerprint is obtained from the Launchpad PPA page,
via a secure channel, so it can be trusted.
"
However, the code in ppa.py simply uses the urllib2 module which as per the warning in the documentation ("HTTPS requests do not do any verification of the server’s certificate") does not do any verification of the server’s certificate.
As the data returned through the urllib2 call is trusted and used to configure and add new PPA's (software repository) to a system it maybe possible for an attacker (who can perform a man in the middle attack) to compromise a remote system through this means.
I tested and confirmed the bug on my local system with following relevant packages installed:
ii python-
ii software-center 5.0.3.1 Utility for browsing, installing, and removing software
ii software-
ii software-
Hi Michael, could you please take a quick look? Thanks!