[Bug 857472] Re: net-update verifcation checking insecure
Michael Vogt
michael.vogt at ubuntu.com
Fri Sep 30 15:05:35 UTC 2011
Hello Colin, thanks for your comment on this.
I'm not sure I quite follow the comment, the code is meant to check the following:
for every key we got from the network, check if the same keyid is also in the master-keyring
if that is the case -> abort as this clearly indicates that something fishy is going on
AFAICS this closes the attack vector described in the full-disclosure list as the attacker will not be
able to "shadow" our master-key-id anymore with the key id duplication.
For am I missing something and/or made a mistake in the code so that I
actually check for the wrong thing?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
Status in “apt” package in Ubuntu:
Confirmed
Status in “apt” source package in Oneiric:
Confirmed
Bug description:
From:
http://seclists.org/fulldisclosure/2011/Sep/222
its easy to bypass the verification checking in apt-key net-update.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions
More information about the foundations-bugs
mailing list