[Bug 1016643] Re: add-apt-repository downloads gpg key in an insecure fashion

Marc Deslauriers marc.deslauriers at canonical.com
Mon Sep 17 14:04:04 UTC 2012 

** Visibility changed to: Public

** Also affects: gnupg2 (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: software-properties (Ubuntu)
       Status: Triaged => Invalid

** Also affects: gnupg (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Also affects: gnupg2 (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Also affects: software-properties (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Also affects: gnupg (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: gnupg2 (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: software-properties (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: gnupg (Ubuntu Natty)
   Importance: Undecided
       Status: New

** Also affects: gnupg2 (Ubuntu Natty)
   Importance: Undecided
       Status: New

** Also affects: software-properties (Ubuntu Natty)
   Importance: Undecided
       Status: New

** Also affects: gnupg (Ubuntu Oneiric)
   Importance: Undecided
       Status: New

** Also affects: gnupg2 (Ubuntu Oneiric)
   Importance: Undecided
       Status: New

** Also affects: software-properties (Ubuntu Oneiric)
   Importance: Undecided
       Status: New

** Also affects: gnupg (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: gnupg2 (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: software-properties (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: gnupg (Ubuntu Quantal)
   Importance: Undecided
       Status: Triaged

** Also affects: gnupg2 (Ubuntu Quantal)
   Importance: Undecided
       Status: New

** Also affects: software-properties (Ubuntu Quantal)
   Importance: Undecided
       Status: Invalid

** Changed in: gnupg2 (Ubuntu Quantal)
       Status: New => Fix Released

** Changed in: gnupg (Ubuntu Quantal)
       Status: Triaged => Fix Released

** Changed in: software-properties (Ubuntu Hardy)
       Status: New => Invalid

** Changed in: software-properties (Ubuntu Lucid)
       Status: New => Invalid

** Changed in: software-properties (Ubuntu Natty)
       Status: New => Invalid

** Changed in: software-properties (Ubuntu Oneiric)
       Status: New => Invalid

** Changed in: software-properties (Ubuntu Precise)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1016643

Title:
  add-apt-repository downloads gpg key in an insecure fashion

Status in GNU Privacy Guard:
  Fix Released
Status in “gnupg” package in Ubuntu:
  Fix Released
Status in “gnupg2” package in Ubuntu:
  Fix Released
Status in “software-properties” package in Ubuntu:
  Invalid
Status in “gnupg” source package in Lucid:
  New
Status in “gnupg2” source package in Lucid:
  New
Status in “software-properties” source package in Lucid:
  Invalid
Status in “gnupg” source package in Natty:
  New
Status in “gnupg2” source package in Natty:
  New
Status in “software-properties” source package in Natty:
  Invalid
Status in “gnupg” source package in Oneiric:
  New
Status in “gnupg2” source package in Oneiric:
  New
Status in “software-properties” source package in Oneiric:
  Invalid
Status in “gnupg” source package in Precise:
  New
Status in “gnupg2” source package in Precise:
  New
Status in “software-properties” source package in Precise:
  Invalid
Status in “gnupg” source package in Quantal:
  Fix Released
Status in “gnupg2” source package in Quantal:
  Fix Released
Status in “software-properties” source package in Quantal:
  Invalid
Status in “gnupg” source package in Hardy:
  New
Status in “gnupg2” source package in Hardy:
  New
Status in “software-properties” source package in Hardy:
  Invalid

Bug description:
  add-apt-repository can add PPAs and automatically import the PPA gpg
  key.

  Unfortunately, it uses apt-key, which in turn uses gpg to download the
  key from a keyserver.

  gpg downloads keys from keyservers using the short key id, which is
  trivial to collide.

  It is therefore possible to either MITM the point where gpg downloads
  the key from the keyserver, or to simply upload a second colliding key
  to the keyserver. This can result in being able to MITM packages
  installed from PPAs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions

More information about the foundations-bugs mailing list