Ubuntu
apt package

Improper verification of updated key via apt-key net-update

Bug #856489 reported by Jamie Strandboge
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Critical
Marc Deslauriers
Hardy
Fix Released
Critical
Marc Deslauriers
Lucid
Fix Released
Critical
Marc Deslauriers
Maverick
Fix Released
Critical
Marc Deslauriers
Natty
Fix Released
Critical
Marc Deslauriers
Oneiric
Fix Released
Critical
Marc Deslauriers

Bug Description

As reported on full-disclosure:
http://seclists.org/fulldisclosure/2011/Sep/221

CVE request here:
http://www.openwall.com/lists/oss-security/2011/09/22/5

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marc is working on a temporary fix until the real fix is prepared.

security vulnerability: no → yes
Changed in apt (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in apt (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Oneiric):
importance: Undecided → Critical
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Kees Cook (kees) wrote :

If anyone can't wait for updates, removing the keyring URI from /usr/bin/apt-key should disable the fetch:

#ARCHIVE_KEYRING_URI=http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
ARCHIVE_KEYRING_URI=

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Packages are building now and updates will be made available shortly. The temporary fix disabling net-update for all releases can be seen in https://launchpad.net/ubuntu/+source/apt/0.8.16~exp5ubuntu11.

Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.2

---------------
apt (0.8.13.2ubuntu4.2) natty-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:03:15 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.3ubuntu7.2

---------------
apt (0.8.3ubuntu7.2) maverick-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:23:05 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.7

---------------
apt (0.7.25.3ubuntu9.7) lucid-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:24:50 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.9ubuntu17.3

---------------
apt (0.7.9ubuntu17.3) hardy-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is insecure. (LP: #856489)
    - cmdline/apt-key: exit immediately out of net_update().
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2011 11:26:16 -0400

Changed in apt (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Natty):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Bianca (vittoriamolini96)
security vulnerability: yes → no
visibility: public → private
Micah Gersten (micahg)
security vulnerability: no → yes
visibility: private → public
jakeford18 (jake-ford-18)
Changed in apt (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → jakeford18 (jake-ford-18)
Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu):
assignee: jakeford18 (jake-ford-18) → Marc Deslauriers (mdeslaur)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.