apt-get source fails to warn on unauthenticated packages

Bug #1329274 reported by Michael Vogt on 2014-06-12
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
APT
Fix Released
Unknown
apt (Ubuntu)
High
Michael Vogt
Lucid
Medium
Marc Deslauriers
Precise
Medium
Marc Deslauriers
Saucy
Medium
Marc Deslauriers
Trusty
Medium
Marc Deslauriers
Utopic
High
Michael Vogt

Bug Description

apt-get source foo will not warn if the repository that foo belongs to has no signature attached.

It should fails in this case - this is CVE-2014-0478

Michael Vogt (mvo) on 2014-06-12
Changed in apt (Ubuntu):
importance: Undecided → High
assignee: nobody → Michael Vogt (mvo)
status: New → In Progress
information type: Public → Public Security
description: updated
Changed in apt:
status: Unknown → New
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
tags: added: patch
Michael Vogt (mvo) wrote :
Changed in apt:
status: New → Fix Released
Changed in apt (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
Changed in apt (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Changed in apt (Ubuntu Saucy):
status: New → Confirmed
importance: Undecided → Medium
Changed in apt (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.9.1~ubuntu3.2

---------------
apt (0.9.9.1~ubuntu3.2) saucy-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc, added regression
      test to test/integration/test-apt-get-source-authenticated,
      test/integration/framework.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 14:02:26 +0200

Changed in apt (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.0.1ubuntu2.1

---------------
apt (1.0.1ubuntu2.1) trusty-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in apt-private/private-download.*,
      cmdline/apt-get.cc, added regression test to
      test/integration/test-apt-get-source-authenticated.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 13:57:38 +0200

Changed in apt (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.17

---------------
apt (0.8.16~exp12ubuntu10.17) precise-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc, added regression
      test to test/integration/test-apt-get-source-authenticated,
      test/integration/framework.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 14:12:19 +0200

Changed in apt (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.15

---------------
apt (0.7.25.3ubuntu9.15) lucid-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 15:10:43 +0200

Changed in apt (Ubuntu Lucid):
status: Confirmed → Fix Released
TheoB (theo-y) wrote :

I don't know why I land up here. The PC tells me there are updates and then it refuses to install the updates. I'm told to check my
connection but my connection is solid !!!

Thank you
Theo

Michael Vogt (mvo) on 2014-06-19
Changed in apt (Ubuntu Utopic):
status: In Progress → Fix Released
Forest Bond (forest-bond) wrote :

Question: Why are --force-yes and --assume-yes not honored as they are when checking authenticity of binaries?

Marc Deslauriers (mdeslaur) wrote :

@ Forest Bond: Please file a new bug, this bug is closed.

Forest Bond (forest-bond) wrote :

Or at least just --force-yes. --assume-yes is not sufficient to bypass the authenticity check without a prompt. I gather there is a desire to avoid prompting.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.