cobbler-ubuntu-import does not check gpg signatures

Bug #974460 reported by Scott Moser on 2012-04-05
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
High
Scott Moser
Oneiric
High
Unassigned
Precise
High
Scott Moser

Bug Description

cobbler-ubuntu-import downloads isos from a mirror, and checks them against MD5SUMS, but does not verify the validity of that MD5SUMS against the MD5SUMS.gpg.

Ie, someone could Man in the Middle the download.

The right way tot check is like this:

$ url=http://us.archive.ubuntu.com/ubuntu/dists/precise/main/installer-i386/current/images/MD5SUMS
$ wget $url -O MD5SUMS
$ wget $url.gpg -O MD5SUMS.gpg
$ gpg --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --verify MD5SUMS.gpg MD5SUMS

Related branches

CVE References

Changed in cobbler (Ubuntu Precise):
importance: Undecided → High
Scott Moser (smoser) on 2012-04-10
Changed in cobbler (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Scott Moser (smoser)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu32

---------------
cobbler (2.2.2-0ubuntu32) precise; urgency=low

  * replace static list of Ubuntu release names with dependency on
    distro-info in cobbler and and python-distro-info in python-cobbler
    (LP: #949442)
  * check signature of MD5SUMS.gpg against ubuntu-keyring, and verify
    that downloaded content matches expected (LP: #974460)
 -- Scott Moser <email address hidden> Mon, 09 Apr 2012 22:08:22 -0400

Changed in cobbler (Ubuntu Precise):
status: In Progress → Fix Released
Scott Moser (smoser) on 2012-04-10
summary: - cobbler-import-isos does not check gpg signatures
+ cobbler-ubuntu-import does not check gpg signatures
description: updated
Changed in cobbler (Ubuntu Oneiric):
status: New → Fix Released
importance: Undecided → High
visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-2092

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers