[Bug 784473] Re: Treats partial InRelease signature as verifying the entire file
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Jul 28 13:35:53 UTC 2011
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/784473
Title:
Treats partial InRelease signature as verifying the entire file
Status in “apt” package in Ubuntu:
Fix Released
Status in “apt” source package in Natty:
Fix Released
Status in “apt” source package in Oneiric:
Fix Released
Bug description:
Binary package hint: apt
apt's inline signature verification for InRelease is broken: it treats
any signature in the file as validating the whole file. It's also
fairly liberal when parsing the content of such files, apparently
ignoring everything after the first blank line.
Combined, these two behaviours allow an attacker to turn an arbitrary
Release file into a valid, signed InRelease file by appending a blank
line and a valid inline signed message from a trusted key. I've tested
by appending
http://ftp.debian.org/debian/dists/experimental/InRelease, as Ubuntu's
archive key does not clearsign anything that I can find, and line-
ending canonicalisation thwarted my attempts at converting a detached
signature into a cleartext one.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/784473/+subscriptions
More information about the foundations-bugs
mailing list