python-apt downloads from untrusted sources where apt does not
Bug #1858973 reported by
Seth Arnold
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aptdaemon (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
python-apt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
ptyhon-apt never checked whether the hashes it got were signed in the first place. So, python-apt is happy to download files from unsigned repositories when it shouldn't.
Making the code only fetch trusted packages means that using it on untrusted packages will fail. There might be use cases broken by this.
CVE References
summary: |
- placeholder + python-apt downloads from untrusted sources where apt does not |
description: | updated |
information type: | Private Security → Public Security |
To post a comment you must log in.
The attached patch needs to be applied to all aptdaemons and their versions bumped to match the Breaks added in bug #1858972.
Patches for python-apt can be found in that bug.