Software Center Agent

Need to send long keyids to software-center to prevent MITM attack

Bug #1052789 reported by Michael Vogt on 2012-09-19

264

This bug affects 1 person

	Status	Importance	Assigned to
Software Center Agent	Fix Released	Critical	Anthony Lenton
aptdaemon (Ubuntu)	Fix Released	High	Unassigned
Oneiric	Fix Released	Undecided	Marc Deslauriers
Precise	Fix Released	Undecided	Marc Deslauriers
Quantal	Fix Released	Undecided	Unassigned
Raring	Fix Released	High	Unassigned

Bug Description

In the subscriptions_for_me json and in the purchase json wgrant noticed that we use the short gpg keyids:
e.g. u'signing_key_id': u'1024r/75254d99'

These are vulnerable to man-in-the-middle attacks as its relatively easy to create collisions on them and sneak
in a different key into the keyring and compromise the system. Instead we need to send the long keyid. This
*should* be transparent to the client (but obviously we need to test that). It should send the long fingerprint,
e.g. 019A25FED88F961763935D7F129196470EB12F05 from http://launchpad.net/~mvo/+archive under
fingerprint

Tags:

Related branches

lp:ubuntu/oneiric-security/aptdaemon

lp:ubuntu/precise-security/aptdaemon

lp:ubuntu/precise-updates/aptdaemon

CVE References

2012-0962

Revision history for this message

Michael Vogt (mvo) wrote on 2012-10-02:

This also affects aptdaemon, it is using:

        proc = subprocess.Popen(["/usr/bin/apt-key", "adv",
                                 "--keyserver", keyserver,
                                 "--recv", keyid], stderr=subprocess.STDOUT,
                                 stdout=subprocess.PIPE, close_fds=True)

Revision history for this message

Michael Vogt (mvo) wrote on 2012-10-02:

We need to port the software-properties fix for the key import to aptdaemon or fix the apt apt-key code.

Michael Vogt (mvo) on 2012-10-02

tags:

added: ca-escalated

Anthony Lenton (elachuni) on 2012-10-03

Changed in software-center-agent:
status:	New → In Progress
importance:	Undecided → Critical
importance:	Critical → High
assignee:	nobody → Anthony Lenton (elachuni)
importance:	High → Critical

Revision history for this message

Michael Vogt (mvo) wrote on 2012-10-12:

Bzr bundle with key verification against lp:~aptdaemon-developers/aptdaemon/ubuntu-precise Edit (11.8 KiB, text/plain)

To test you need to build the branch with bzr-buildpackage and install it.

Then run:
# aptdcon --keyserver=keyserver.ubuntu.com --add-vendor-key-from-keyserver=437D05B5

this should give you a error

# aptdon --add-vendor-key-from-keyserver=0xa1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 --keyserver=keyserver.ubuntu.com
# apt-key list

Should work and show:
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid Debian Archive Automatic Signing Key (7.0/wheezy) <email address hidden>

in the apt-key list output.

Revision history for this message

Michael Vogt (mvo) wrote on 2012-10-12:

debdiff with the oneiric version of the diff Edit (7.5 KiB, text/plain)

Same test as for precise.

Changed in aptdaemon (Ubuntu):
status:	New → In Progress
importance:	Undecided → High

Anthony Lenton (elachuni) on 2012-10-15

Changed in software-center-agent:
status:	In Progress → Fix Released

Revision history for this message

Michael Vogt (mvo) wrote on 2012-12-11:

Someone from the QA team like davmor2 should test a purchase in the software-center when this is applied to get a additional test.

Changed in aptdaemon (Ubuntu Raring):
status:	In Progress → Fix Released
Changed in aptdaemon (Ubuntu Quantal):
status:	New → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-12-11:

This is CVE-2012-0962

Marc Deslauriers (mdeslaur) on 2012-12-12

Changed in aptdaemon (Ubuntu Oneiric):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in aptdaemon (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-17:

This bug was fixed in the package aptdaemon - 0.43+bzr697-0ubuntu1.3

---------------
aptdaemon (0.43+bzr697-0ubuntu1.3) oneiric-security; urgency=low

* SECURITY UPDATE: check downloaded keyid (LP: #1052789)
- CVE-2012-0962
-- Michael Vogt <email address hidden> Fri, 12 Oct 2012 16:20:20 +0200

Changed in aptdaemon (Ubuntu Oneiric):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-17:

This bug was fixed in the package aptdaemon - 0.43+bzr805-0ubuntu7

---------------
aptdaemon (0.43+bzr805-0ubuntu7) precise-security; urgency=low

* SECURITY UPDATE: check downloaded keyid (LP: #1052789)
- CVE-2012-0962
-- Michael Vogt <email address hidden> Fri, 12 Oct 2012 15:59:48 +0200

Changed in aptdaemon (Ubuntu Precise):
status:	New → Fix Released

Marc Deslauriers (mdeslaur) on 2012-12-17

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.