content injection in http method (CVE-2019-3462)
Bug #1812353 reported by
Julian Andres Klode
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Trusty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Bionic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Cosmic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Disco |
Fix Released
|
Critical
|
Unassigned |
Bug Description
apt, starting with version 0.8.15, decodes target URLs of redirects, but does not check them for newlines, allowing MiTM attackers (or repository mirrors) to inject arbitrary headers into the result returned to the main process.
If the URL embeds hashes of the supposed file, it can thus be used to disable any validation of the downloaded file, as the fake hashes will be prepended in front of the right hashes.
CVE References
Changed in apt (Ubuntu Precise): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apt (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apt (Ubuntu Xenial): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apt (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apt (Ubuntu Cosmic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
information type: | Private Security → Public Security |
Changed in apt (Ubuntu Precise): | |
status: | New → Fix Released |
tags: | added: patch |
To post a comment you must log in.
Attached preliminary patch for disco. Still working on test case, will issue full debdiffs for all releases later.