Ubuntu
apt package

Bug #1013128
Activity log

Activity log for bug #1013128

Date	Who	What changed	Old value	New value	Message
2012-06-14 11:37:42	Jamie Strandboge	bug			added bug
2012-06-14 11:37:42	Jamie Strandboge	attachment added		sec1.bin https://bugs.launchpad.net/bugs/1013128/+attachment/3189152/+files/sec1.bin
2012-06-14 11:45:49	Jamie Strandboge	bug			added subscriber Michael Vogt
2012-06-14 11:45:58	Jamie Strandboge	apt (Ubuntu): importance	Undecided	High
2012-06-14 14:20:43	Michael Vogt	attachment added		bzr bundle with the fix from Marc Deslauriers and test https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128/+attachment/3189399/+files/bzr-bundle-fix-with-test.diff
2012-06-14 15:50:28	Jamie Strandboge	nominated for series		Ubuntu Natty
2012-06-14 15:50:28	Jamie Strandboge	bug task added		apt (Ubuntu Natty)
2012-06-14 15:50:28	Jamie Strandboge	nominated for series		Ubuntu Lucid
2012-06-14 15:50:28	Jamie Strandboge	bug task added		apt (Ubuntu Lucid)
2012-06-14 15:50:28	Jamie Strandboge	nominated for series		Ubuntu Hardy
2012-06-14 15:50:28	Jamie Strandboge	bug task added		apt (Ubuntu Hardy)
2012-06-14 15:50:28	Jamie Strandboge	nominated for series		Ubuntu Oneiric
2012-06-14 15:50:28	Jamie Strandboge	bug task added		apt (Ubuntu Oneiric)
2012-06-14 15:50:28	Jamie Strandboge	nominated for series		Ubuntu Precise
2012-06-14 15:50:28	Jamie Strandboge	bug task added		apt (Ubuntu Precise)
2012-06-14 15:50:28	Jamie Strandboge	nominated for series		Ubuntu Quantal
2012-06-14 15:50:28	Jamie Strandboge	bug task added		apt (Ubuntu Quantal)
2012-06-14 15:51:09	Jamie Strandboge	apt (Ubuntu Lucid): status	New	In Progress
2012-06-14 15:51:10	Jamie Strandboge	apt (Ubuntu Lucid): importance	Undecided	High
2012-06-14 15:51:10	Jamie Strandboge	apt (Ubuntu Lucid): assignee		Jamie Strandboge (jdstrand)
2012-06-14 15:51:11	Jamie Strandboge	apt (Ubuntu Natty): status	New	In Progress
2012-06-14 15:51:12	Jamie Strandboge	apt (Ubuntu Natty): importance	Undecided	High
2012-06-14 15:51:12	Jamie Strandboge	apt (Ubuntu Natty): assignee		Jamie Strandboge (jdstrand)
2012-06-14 15:51:13	Jamie Strandboge	apt (Ubuntu Oneiric): status	New	In Progress
2012-06-14 15:51:14	Jamie Strandboge	apt (Ubuntu Oneiric): importance	Undecided	High
2012-06-14 15:51:15	Jamie Strandboge	apt (Ubuntu Oneiric): assignee		Jamie Strandboge (jdstrand)
2012-06-14 15:51:16	Jamie Strandboge	apt (Ubuntu Precise): status	New	In Progress
2012-06-14 15:51:16	Jamie Strandboge	apt (Ubuntu Precise): importance	Undecided	High
2012-06-14 15:51:17	Jamie Strandboge	apt (Ubuntu Precise): assignee		Jamie Strandboge (jdstrand)
2012-06-14 15:51:18	Jamie Strandboge	apt (Ubuntu Quantal): status	New	In Progress
2012-06-14 15:51:19	Jamie Strandboge	apt (Ubuntu Quantal): assignee	Michael Vogt (mvo)	Jamie Strandboge (jdstrand)
2012-06-14 15:51:20	Jamie Strandboge	apt (Ubuntu Hardy): status	New	In Progress
2012-06-14 15:51:21	Jamie Strandboge	apt (Ubuntu Hardy): importance	Undecided	High
2012-06-14 15:51:22	Jamie Strandboge	apt (Ubuntu Hardy): assignee		Jamie Strandboge (jdstrand)
2012-06-14 15:52:53	Jamie Strandboge	description	Georgi Guninski reported on http://seclists.org/fulldisclosure/2012/Jun/267: "While wasting my time with apt-key noticed strange behaviour with colliding subkeys. Out of paranoia ubuntu disallows importing certain trusted keyids. This is trivial to circumvent by making a collision with subkey. Attached is a key with subkey keyid colliding with Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>. By emulating apt-key netupdate, noticed that the order of the keyrings is important. If the master keyring is first, the colliding key with correct signature fails validation (probably because the other key is used). If the colliding keyring is first, everything is ok (modulo reporting wrong signer). Probably this may lead to gpg abuse. colliding first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /tmp/sec1 --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --check-sigs /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid fuck31 (f) <f () f> sig!3 76A4410F 2012-06-13 fuck31 (f) <f () f> sig! 3F272F5B 2012-06-13 fuck31 (f) <f () f> sig! 3F272F5B 2012-06-13 fuck31 (f) <f () f> sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 fuck31 (f) <f () f> sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 fuck31 (f) <f () f> /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 fuck31 (f) <f () f> #wrong 1 signature not checked due to a missing key master first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --keyring /tmp/sec1 --check-sigs /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid fuck31 (f) <f () f> sig!3 76A4410F 2012-06-13 [User ID not found] sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] 2 bad signatures 1 signature not checked due to a missing key"	Georgi Guninski reported on http://seclists.org/fulldisclosure/2012/Jun/267 (slightly modified for language): "While wasting my time with apt-key noticed strange behaviour with colliding subkeys. Out of paranoia ubuntu disallows importing certain trusted keyids. This is trivial to circumvent by making a collision with subkey. Attached is a key with subkey keyid colliding with Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>. By emulating apt-key netupdate, noticed that the order of the keyrings is important. If the master keyring is first, the colliding key with correct signature fails validation (probably because the other key is used). If the colliding keyring is first, everything is ok (modulo reporting wrong signer). Probably this may lead to gpg abuse. colliding first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /tmp/sec1 --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --check-sigs /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid f...31 (f) <f () f> sig!3 76A4410F 2012-06-13 f...31 (f) <f () f> sig! 3F272F5B 2012-06-13 f...31 (f) <f () f> sig! 3F272F5B 2012-06-13 f...31 (f) <f () f> sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 f...31 (f) <f () f> sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 f...31 (f) <f () f> /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 fuck31 (f) <f () f> #wrong 1 signature not checked due to a missing key master first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --keyring /tmp/sec1 --check-sigs /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid f...31 (f) <f () f> sig!3 76A4410F 2012-06-13 [User ID not found] sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] 2 bad signatures 1 signature not checked due to a missing key"
2012-06-14 15:53:22	Jamie Strandboge	description	Georgi Guninski reported on http://seclists.org/fulldisclosure/2012/Jun/267 (slightly modified for language): "While wasting my time with apt-key noticed strange behaviour with colliding subkeys. Out of paranoia ubuntu disallows importing certain trusted keyids. This is trivial to circumvent by making a collision with subkey. Attached is a key with subkey keyid colliding with Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>. By emulating apt-key netupdate, noticed that the order of the keyrings is important. If the master keyring is first, the colliding key with correct signature fails validation (probably because the other key is used). If the colliding keyring is first, everything is ok (modulo reporting wrong signer). Probably this may lead to gpg abuse. colliding first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /tmp/sec1 --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --check-sigs /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid f...31 (f) <f () f> sig!3 76A4410F 2012-06-13 f...31 (f) <f () f> sig! 3F272F5B 2012-06-13 f...31 (f) <f () f> sig! 3F272F5B 2012-06-13 f...31 (f) <f () f> sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 f...31 (f) <f () f> sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 f...31 (f) <f () f> /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 fuck31 (f) <f () f> #wrong 1 signature not checked due to a missing key master first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --keyring /tmp/sec1 --check-sigs /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid f...31 (f) <f () f> sig!3 76A4410F 2012-06-13 [User ID not found] sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] 2 bad signatures 1 signature not checked due to a missing key"	Georgi Guninski reported on http://seclists.org/fulldisclosure/2012/Jun/267 (slightly modified for language): "While wasting my time with apt-key noticed strange behaviour with colliding subkeys. Out of paranoia ubuntu disallows importing certain trusted keyids. This is trivial to circumvent by making a collision with subkey. Attached is a key with subkey keyid colliding with Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>. By emulating apt-key netupdate, noticed that the order of the keyrings is important. If the master keyring is first, the colliding key with correct signature fails validation (probably because the other key is used). If the colliding keyring is first, everything is ok (modulo reporting wrong signer). Probably this may lead to gpg abuse. colliding first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /tmp/sec1 --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --check-sigs /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid f...31 (f) <f () f> sig!3 76A4410F 2012-06-13 f...31 (f) <f () f> sig! 3F272F5B 2012-06-13 f...31 (f) <f () f> sig! 3F272F5B 2012-06-13 f...31 (f) <f () f> sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 f...31 (f) <f () f> sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 f...31 (f) <f () f> /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 f...31 (f) <f () f> #wrong 1 signature not checked due to a missing key master first: $gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --keyring /tmp/sec1 --check-sigs /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> /tmp/sec1 --------- pub 1024R/76A4410F 2012-06-13 uid f...31 (f) <f () f> sig!3 76A4410F 2012-06-13 [User ID not found] sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a subkey of f () f sub 1024R/2376C859 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] sub 2180R/3F272F5B 2012-06-13 sig! 76A4410F 2012-06-13 [User ID not found] 2 bad signatures 1 signature not checked due to a missing key"
2012-06-14 17:55:07	Jamie Strandboge	apt (Ubuntu Lucid): status	In Progress	Fix Committed
2012-06-14 17:55:07	Jamie Strandboge	apt (Ubuntu Natty): status	In Progress	Fix Committed
2012-06-14 17:55:08	Jamie Strandboge	apt (Ubuntu Oneiric): status	In Progress	Fix Committed
2012-06-14 17:55:09	Jamie Strandboge	apt (Ubuntu Precise): status	In Progress	Fix Committed
2012-06-14 17:55:10	Jamie Strandboge	apt (Ubuntu Quantal): status	In Progress	Fix Committed
2012-06-14 17:55:11	Jamie Strandboge	apt (Ubuntu Hardy): status	In Progress	Fix Committed
2012-06-14 22:22:21	Jamie Strandboge	visibility	private	public
2012-06-14 22:36:33	Launchpad Janitor	apt (Ubuntu Quantal): status	Fix Committed	Fix Released
2012-06-14 22:36:33	Launchpad Janitor	apt (Ubuntu Precise): status	Fix Committed	Fix Released
2012-06-14 23:18:17	Launchpad Janitor	branch linked		lp:ubuntu/precise-security/apt
2012-06-14 23:18:22	Launchpad Janitor	branch linked		lp:ubuntu/apt
2012-06-15 02:38:25	Launchpad Janitor	apt (Ubuntu Oneiric): status	Fix Committed	Fix Released
2012-06-15 02:38:25	Launchpad Janitor	apt (Ubuntu Natty): status	Fix Committed	Fix Released
2012-06-15 02:38:25	Launchpad Janitor	apt (Ubuntu Lucid): status	Fix Committed	Fix Released
2012-06-15 02:38:25	Launchpad Janitor	apt (Ubuntu Hardy): status	Fix Committed	Fix Released
2012-06-15 02:51:17	Launchpad Janitor	branch linked		lp:ubuntu/lucid-security/apt
2012-06-15 02:51:19	Launchpad Janitor	branch linked		lp:ubuntu/natty-security/apt
2012-06-15 02:51:20	Launchpad Janitor	branch linked		lp:ubuntu/hardy-security/apt
2012-06-15 02:51:23	Launchpad Janitor	branch linked		lp:ubuntu/oneiric-security/apt
2012-06-15 03:05:04	Jamie Strandboge	bug watch added		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677587
2012-06-15 03:05:04	Jamie Strandboge	bug task added		apt (Debian)
2012-06-15 03:22:35	Bug Watch Updater	apt (Debian): status	Unknown	New
2012-06-15 05:53:49	georgi	bug			added subscriber georgi
2014-02-15 16:33:52	Bug Watch Updater	apt (Debian): status	New	Fix Released

Ubuntuapt package

Activity log for bug #1013128

Ubuntu
apt package