[Bug 1016643] Re: add-apt-repository downloads gpg key in an insecure fashion

Rolf Leggewie 1016643 at bugs.launchpad.net
Wed Jun 17 12:18:43 UTC 2015 

lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: apt (Ubuntu Lucid)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1016643

Title:
  add-apt-repository downloads gpg key in an insecure fashion

Status in GNU Privacy Guard:
  Fix Released
Status in apt package in Ubuntu:
  Triaged
Status in gnupg package in Ubuntu:
  Fix Released
Status in gnupg2 package in Ubuntu:
  Fix Released
Status in software-properties package in Ubuntu:
  Fix Released
Status in apt source package in Lucid:
  Won't Fix
Status in gnupg source package in Lucid:
  Fix Released
Status in gnupg2 source package in Lucid:
  Fix Released
Status in software-properties source package in Lucid:
  Fix Released
Status in apt source package in Natty:
  Won't Fix
Status in gnupg source package in Natty:
  Fix Released
Status in gnupg2 source package in Natty:
  Fix Released
Status in software-properties source package in Natty:
  Fix Released
Status in apt source package in Oneiric:
  Won't Fix
Status in gnupg source package in Oneiric:
  Fix Released
Status in gnupg2 source package in Oneiric:
  Fix Released
Status in software-properties source package in Oneiric:
  Fix Released
Status in apt source package in Precise:
  Triaged
Status in gnupg source package in Precise:
  Fix Released
Status in gnupg2 source package in Precise:
  Fix Released
Status in software-properties source package in Precise:
  Fix Released
Status in apt source package in Quantal:
  Won't Fix
Status in gnupg source package in Quantal:
  Fix Released
Status in gnupg2 source package in Quantal:
  Fix Released
Status in software-properties source package in Quantal:
  Fix Released
Status in apt source package in Hardy:
  Won't Fix
Status in gnupg source package in Hardy:
  Fix Released
Status in gnupg2 source package in Hardy:
  Fix Released
Status in software-properties source package in Hardy:
  Invalid

Bug description:
  add-apt-repository can add PPAs and automatically import the PPA gpg
  key.

  Unfortunately, it uses apt-key, which in turn uses gpg to download the
  key from a keyserver.

  gpg downloads keys from keyservers using the short key id, which is
  trivial to collide.

  It is therefore possible to either MITM the point where gpg downloads
  the key from the keyserver, or to simply upload a second colliding key
  to the keyserver. This can result in being able to MITM packages
  installed from PPAs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions

More information about the foundations-bugs mailing list