[Bug 1013639] [NEW] net-update verifcation checking is still insecure (aka gpg key shadowing, again)

Jamie Strandboge jamie at ubuntu.com
Fri Jun 15 12:19:01 UTC 2012 

*** This bug is a security vulnerability ***

Public security bug reported:

This is related to but different than:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128

FYI:
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289

The fix for both of the previous bugs was not enough. There is
reportedly an active exploit utilizing the Ubuntu CD Image Automatic
Signing Key.

** Affects: apt (Ubuntu)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: apt (Ubuntu Lucid)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: apt (Ubuntu Natty)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: apt (Ubuntu Oneiric)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: apt (Ubuntu Precise)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: apt (Ubuntu Quantal)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: apt (Ubuntu Hardy)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Also affects: apt (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: apt (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: apt (Ubuntu Quantal)
   Importance: Undecided
       Status: New

** Also affects: apt (Ubuntu Natty)
   Importance: Undecided
       Status: New

** Also affects: apt (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Also affects: apt (Ubuntu Oneiric)
   Importance: Undecided
       Status: New

** Visibility changed to: Public

** Changed in: apt (Ubuntu Lucid)
       Status: New => In Progress

** Changed in: apt (Ubuntu Lucid)
   Importance: Undecided => Critical

** Changed in: apt (Ubuntu Lucid)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apt (Ubuntu Natty)
       Status: New => In Progress

** Changed in: apt (Ubuntu Natty)
   Importance: Undecided => Critical

** Changed in: apt (Ubuntu Natty)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apt (Ubuntu Oneiric)
       Status: New => In Progress

** Changed in: apt (Ubuntu Oneiric)
   Importance: Undecided => Critical

** Changed in: apt (Ubuntu Oneiric)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apt (Ubuntu Precise)
       Status: New => In Progress

** Changed in: apt (Ubuntu Precise)
   Importance: Undecided => Critical

** Changed in: apt (Ubuntu Precise)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apt (Ubuntu Quantal)
       Status: New => In Progress

** Changed in: apt (Ubuntu Quantal)
   Importance: Undecided => Critical

** Changed in: apt (Ubuntu Quantal)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apt (Ubuntu Hardy)
       Status: New => In Progress

** Changed in: apt (Ubuntu Hardy)
   Importance: Undecided => Critical

** Changed in: apt (Ubuntu Hardy)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0954

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1013639

Title:
  net-update verifcation checking is still insecure (aka gpg key
  shadowing, again)

Status in “apt” package in Ubuntu:
  In Progress
Status in “apt” source package in Lucid:
  In Progress
Status in “apt” source package in Natty:
  In Progress
Status in “apt” source package in Oneiric:
  In Progress
Status in “apt” source package in Precise:
  In Progress
Status in “apt” source package in Quantal:
  In Progress
Status in “apt” source package in Hardy:
  In Progress

Bug description:
  This is related to but different than:
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128

  FYI:
  http://seclists.org/fulldisclosure/2012/Jun/271
  http://seclists.org/fulldisclosure/2012/Jun/289

  The fix for both of the previous bugs was not enough. There is
  reportedly an active exploit utilizing the Ubuntu CD Image Automatic
  Signing Key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639/+subscriptions

More information about the foundations-bugs mailing list