Improper verification of updated key via apt-key net-update

Bug #856489 reported by Jamie Strandboge on 2011-09-22
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Critical
Marc Deslauriers
Hardy
Critical
Marc Deslauriers
Lucid
Critical
Marc Deslauriers
Maverick
Critical
Marc Deslauriers
Natty
Critical
Marc Deslauriers
Oneiric
Critical
Marc Deslauriers

Bug Description

Jamie Strandboge (jdstrand) wrote :

Marc is working on a temporary fix until the real fix is prepared.

security vulnerability: no → yes
Changed in apt (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in apt (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Oneiric):
importance: Undecided → Critical
description: updated
Changed in apt (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Kees Cook (kees) wrote :

If anyone can't wait for updates, removing the keyring URI from /usr/bin/apt-key should disable the fetch:

#ARCHIVE_KEYRING_URI=http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
ARCHIVE_KEYRING_URI=

Jamie Strandboge (jdstrand) wrote :

Packages are building now and updates will be made available shortly. The temporary fix disabling net-update for all releases can be seen in https://launchpad.net/ubuntu/+source/apt/0.8.16~exp5ubuntu11.

Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Hardy):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.2

---------------
apt (0.8.13.2ubuntu4.2) natty-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:03:15 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.3ubuntu7.2

---------------
apt (0.8.3ubuntu7.2) maverick-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:23:05 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.7

---------------
apt (0.7.25.3ubuntu9.7) lucid-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:24:50 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.9ubuntu17.3

---------------
apt (0.7.9ubuntu17.3) hardy-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:26:16 -0400

Changed in apt (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Oneiric):
status: Fix Committed → Fix Released
security vulnerability: yes → no
visibility: public → private
Micah Gersten (micahg) on 2011-09-28
security vulnerability: no → yes
visibility: private → public
Changed in apt (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → jakeford18 (jake-ford-18)
Changed in apt (Ubuntu):
assignee: jakeford18 (jake-ford-18) → Marc Deslauriers (mdeslaur)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers