Ubuntu

net-update verifcation checking is still insecure (aka gpg key shadowing, again)

Reported by Jamie Strandboge on 2012-06-15
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Critical
Jamie Strandboge
Hardy
Critical
Jamie Strandboge
Lucid
Critical
Jamie Strandboge
Natty
Critical
Jamie Strandboge
Oneiric
Critical
Jamie Strandboge
Precise
Critical
Jamie Strandboge
Quantal
Critical
Jamie Strandboge

Bug Description

This is related to but different than:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128

FYI:
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289

The fix for both of the previous bugs was not enough. There is reportedly an active exploit utilizing the Ubuntu CD Image Automatic Signing Key.

Jamie Strandboge (jdstrand) wrote :

This has been assigned CVE-2012-0954.

visibility: private → public
Changed in apt (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
summary: - gpg key shadowing, again
+ net-update verifcation checking is still insecure (aka gpg key
+ shadowing, again)
Michael Vogt (mvo) wrote :

Here is a alternative approach for the net-update:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/comments/2

Jamie Strandboge (jdstrand) wrote :

Ok, I am disabling net-update like in http://www.ubuntu.com/usn/usn-1215-1/ until we can get this fixed for real. As discussed in IRC, we'll need to change how we verify via net-update and this is not something we want to rush.

Jamie Strandboge (jdstrand) wrote :

I filed bug #1013681 to track the progress of the real fix.

Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Hardy):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.9ubuntu17.6

---------------
apt (0.7.9ubuntu17.6) hardy-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 07:48:24 -0500

Changed in apt (Ubuntu Hardy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.6ubuntu3

---------------
apt (0.9.6ubuntu3) quantal; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 08:03:17 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.2

---------------
apt (0.8.16~exp12ubuntu10.2) precise-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 08:02:02 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.5

---------------
apt (0.8.16~exp5ubuntu13.5) oneiric-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 08:00:43 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.6

---------------
apt (0.8.13.2ubuntu4.6) natty-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 07:59:17 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.13

---------------
apt (0.7.25.3ubuntu9.13) lucid-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 07:58:02 -0500

Changed in apt (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers