gpg key shadowing

Bug #1013128 reported by Jamie Strandboge on 2012-06-14
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
High
Jamie Strandboge
Hardy
High
Jamie Strandboge
Lucid
High
Jamie Strandboge
Natty
High
Jamie Strandboge
Oneiric
High
Jamie Strandboge
Precise
High
Jamie Strandboge
Quantal
High
Jamie Strandboge

Bug Description

Georgi Guninski reported on http://seclists.org/fulldisclosure/2012/Jun/267 (slightly modified for language):
"While wasting my time with apt-key noticed strange behaviour with
colliding subkeys.

Out of paranoia ubuntu disallows importing certain trusted keyids.
This is trivial to circumvent by making a collision with subkey.

Attached is a key with subkey keyid colliding with
Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>.

By emulating apt-key netupdate, noticed that the order of the keyrings
is important. If the master keyring is first, the colliding key with
correct signature fails validation (probably because the other key is used).
If the colliding keyring is first, everything is ok (modulo reporting wrong
signer).

Probably this may lead to gpg abuse.

colliding first:

$gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /tmp/sec1
--keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --check-sigs
/tmp/sec1
---------
pub 1024R/76A4410F 2012-06-13
uid f...31 (f) <f () f>
sig!3 76A4410F 2012-06-13 f...31 (f) <f () f>
sig! 3F272F5B 2012-06-13 f...31 (f) <f () f>
sig! 3F272F5B 2012-06-13 f...31 (f) <f () f>
sub 1024R/2376C859 2012-06-13
sig! 76A4410F 2012-06-13 f...31 (f) <f () f>
sub 2180R/3F272F5B 2012-06-13
sig! 76A4410F 2012-06-13 f...31 (f) <f () f>

/usr/share/keyrings/ubuntu-master-keyring.gpg
---------------------------------------------
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
sig!3 3F272F5B 2007-11-09 f...31 (f) <f () f> #wrong

1 signature not checked due to a missing key

master first:

$gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring
/usr/share/keyrings/ubuntu-master-keyring.gpg --keyring /tmp/sec1 --check-sigs
/usr/share/keyrings/ubuntu-master-keyring.gpg
---------------------------------------------
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>

/tmp/sec1
---------
pub 1024R/76A4410F 2012-06-13
uid f...31 (f) <f () f>
sig!3 76A4410F 2012-06-13 [User ID not found]
sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a
subkey of f () f
sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a
subkey of f () f
sub 1024R/2376C859 2012-06-13
sig! 76A4410F 2012-06-13 [User ID not found]
sub 2180R/3F272F5B 2012-06-13
sig! 76A4410F 2012-06-13 [User ID not found]

2 bad signatures
1 signature not checked due to a missing key"

Jamie Strandboge (jdstrand) wrote :
Changed in apt (Ubuntu):
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

Ok, Michael, Marc and I looked at this a bit. If copy sec1.bin to /var/www/ubuntu-archive-keyring.gpg then update ARCHIVE_KEYRING_URI to have ARCHIVE_KEYRING_URI=http://localhost/ubuntu-archive-keyring.gpg, the key does not get updated on lucid/amd64. If I change the order as the report suggests, it is imported. Ie, I use this:
if $GPG_CMD --keyring $TMP_KEYRING --keyring $MASTER --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then

instead of:
if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then

At this point it needs to be verified that gpg will never internally reverse the order on all architectures. If it ever does, then this is a problem. If not, this attack would require an additional step (to update apt-key's code to reverse the order).

Changed in apt (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Natty):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Quantal):
status: New → In Progress
assignee: Michael Vogt (mvo) → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :

I've uploaded these to the security ppa. Michael, do you want to coordinate this with Debian or shall I?

Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Hardy):
status: In Progress → Fix Committed
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.6ubuntu2

---------------
apt (0.9.6ubuntu2) quantal; urgency=low

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jun 2012 11:29:48 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.1

---------------
apt (0.8.16~exp12ubuntu10.1) precise-security; urgency=low

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jun 2012 11:30:50 -0500

Changed in apt (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.4

---------------
apt (0.8.16~exp5ubuntu13.4) oneiric-security; urgency=low

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jun 2012 11:31:28 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.5

---------------
apt (0.8.13.2ubuntu4.5) natty-security; urgency=low

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jun 2012 11:32:34 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.12

---------------
apt (0.7.25.3ubuntu9.12) lucid-security; urgency=low

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jun 2012 10:57:16 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.9ubuntu17.5

---------------
apt (0.7.9ubuntu17.5) hardy-security; urgency=low

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jun 2012 11:00:24 -0500

Changed in apt (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in apt (Debian):
status: Unknown → New
georgi (guninski) wrote :

Created better keyring that works with master first.

The keyring is at:

http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120614/a24a7974/attachment.obj
(name sec3)

master first:

gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --keyring /tmp/sec3 --check-sigs

/usr/share/keyrings/ubuntu-master-keyring.gpg
---------------------------------------------
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <email address hidden>
sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <email address hidden>

/tmp/sec3
---------
pub 1024R/B1C08810 2012-06-14
uid kkkkkkk5 <k@k>
sig!3 B1C08810 2012-06-14 [User ID not found]
sig! 3F272F5B 2012-06-14 Ubuntu Archive Master Signing Key <email address hidden>
sig! 3F272F5B 2012-06-14 Ubuntu Archive Master Signing Key <email address hidden>
sub 1024R/0354AE88 2012-06-14
sig! B1C08810 2012-06-14 [User ID not found]
sub 2179R/3F272F5B 2012-06-14
sig! B1C08810 2012-06-14 [User ID not found]

Can't import it yet...

Jamie Strandboge (jdstrand) wrote :

This is too brittle and we are going to disable net-update again (bug #1013639) in the short term and try to fix this properly. Bug #1013681 will track the actual fix.

Changed in apt (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.