[Bug 857472] Re: net-update verifcation checking insecure

Michael Vogt michael.vogt at ubuntu.com
Fri Sep 30 15:05:35 UTC 2011


Hello Colin, thanks for your comment on this.

I'm not sure I quite follow the comment, the code is meant to check the following:
  for every key we got from the network, check if the same keyid is also in the master-keyring
    if that is the case -> abort as this clearly indicates that something fishy is going on

AFAICS this closes the attack vector described in the full-disclosure list as the attacker will not be
able to "shadow" our master-key-id anymore with the key id duplication.

For am I missing something and/or made a mistake in the code so that I
actually check for the wrong thing?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/857472

Title:
  net-update verifcation checking insecure

Status in “apt” package in Ubuntu:
  Confirmed
Status in “apt” source package in Oneiric:
  Confirmed

Bug description:
  From:
  http://seclists.org/fulldisclosure/2011/Sep/222

  its easy to bypass the verification checking in apt-key net-update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions




More information about the foundations-bugs mailing list