[Bug 915210] Re: apt-add-repository does not perform ssl verification where it *needs* to

David Black 915210 at bugs.launchpad.net
Thu Jul 12 14:23:01 UTC 2012 

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/915210

Title:
  apt-add-repository does not perform ssl verification where it *needs*
  to

Status in “software-properties” package in Ubuntu:
  Fix Released
Status in “software-properties” source package in Lucid:
  Fix Released
Status in “software-properties” source package in Maverick:
  Fix Released
Status in “software-properties” source package in Natty:
  Fix Released
Status in “software-properties” source package in Oneiric:
  Fix Released
Status in “software-properties” source package in Precise:
  Fix Released

Bug description:
  The python code in apt-add-repository makes use of the softwareproperties module, in particular the ppa.py file.
  In the ppa.py file there is the following comment:

  "        The signing key fingerprint is obtained from the Launchpad PPA page,
          via a secure channel, so it can be trusted.
  "
  However, the code in ppa.py simply uses the urllib2 module which  as per the warning in the documentation ("HTTPS requests do not do any verification of the server’s certificate")  does not do  any verification of the server’s certificate. 
  As the data returned through the urllib2 call is trusted and used to configure and add new PPA's (software repository) to a system it maybe possible for an attacker (who can perform a man in the middle attack) to compromise a remote system through this means. 

  I tested and confirmed the bug on my local system with following relevant packages installed:
  ii  python-software-properties             0.81.13.1                               manage the repositories that you install software from
  ii  software-center                        5.0.3.1                                 Utility for browsing, installing, and removing software
  ii  software-properties-common             0.81.13.1                               manage the repositories that you install software from (common)
  ii  software-properties-gtk                0.81.13.1                               manage the repositories that you install software from (gtk)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/915210/+subscriptions

More information about the foundations-bugs mailing list