add-apt-repository downloads gpg key in an insecure fashion
Bug #1016643 reported by
Marc Deslauriers
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GnuPG |
Fix Released
|
Unknown
|
|||
gnupg (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
gnupg2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
software-properties (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
add-apt-repository can add PPAs and automatically import the PPA gpg key.
Unfortunately, it uses apt-key, which in turn uses gpg to download the key from a keyserver.
gpg downloads keys from keyservers using the short key id, which is trivial to collide.
It is therefore possible to either MITM the point where gpg downloads the key from the keyserver, or to simply upload a second colliding key to the keyserver. This can result in being able to MITM packages installed from PPAs.
Related branches
Changed in software-properties (Ubuntu): | |
status: | New → Triaged |
Changed in gnupg: | |
status: | Unknown → Fix Released |
Changed in gnupg (Ubuntu): | |
status: | New → Triaged |
visibility: | private → public |
Changed in software-properties (Ubuntu): | |
status: | Triaged → Invalid |
Changed in gnupg2 (Ubuntu Quantal): | |
status: | New → Fix Released |
Changed in gnupg (Ubuntu Quantal): | |
status: | Triaged → Fix Released |
Changed in software-properties (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in software-properties (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in software-properties (Ubuntu Natty): | |
status: | New → Invalid |
Changed in software-properties (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in software-properties (Ubuntu Precise): | |
status: | New → Invalid |
Changed in apt (Ubuntu Quantal): | |
importance: | Undecided → High |
status: | Confirmed → Triaged |
Changed in apt (Ubuntu Precise): | |
importance: | Undecided → High |
status: | Confirmed → Triaged |
Changed in software-properties (Ubuntu Quantal): | |
status: | Invalid → Confirmed |
Changed in software-properties (Ubuntu Precise): | |
status: | Invalid → Confirmed |
Changed in software-properties (Ubuntu Oneiric): | |
status: | Invalid → Confirmed |
Changed in software-properties (Ubuntu Natty): | |
status: | Invalid → Confirmed |
Changed in software-properties (Ubuntu Lucid): | |
status: | Invalid → Confirmed |
Changed in software-properties (Ubuntu Hardy): | |
status: | Invalid → Confirmed |
Changed in software-properties (Ubuntu Hardy): | |
status: | Confirmed → Invalid |
tags: | added: rls-q-notfixing |
Changed in apt (Ubuntu Oneiric): | |
status: | Confirmed → Won't Fix |
Changed in apt (Ubuntu Quantal): | |
status: | Triaged → Won't Fix |
To post a comment you must log in.
Upstream gpg 1.4.12 now uses the full key length when fetching remote keys:
http:// git.gnupg. org/cgi- bin/gitweb. cgi?p=gnupg. git;a=commit; h=6fe25e5602fab e92c68e5ba30e47 77221e8612df