[Bug 1812353] Re: content injection in http method (CVE-2019-3462)
Christoph Anton Mitterer
calestyo at scientia.net
Wed Jan 23 05:11:28 UTC 2019
Is there any more detailed evaluation of this hole?
It reads absolutely catastrophic, like that secure APT is basically
broken since 2011,… and if anyone has found that issue before (which one
must assume in the worst case) any code could have been rather easily
introduced in any Debian based system, from end users to DDs.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1812353
Title:
content injection in http method (CVE-2019-3462)
Status in apt package in Ubuntu:
In Progress
Status in apt source package in Precise:
Fix Released
Status in apt source package in Trusty:
Fix Released
Status in apt source package in Xenial:
Fix Released
Status in apt source package in Bionic:
Fix Released
Status in apt source package in Cosmic:
Fix Released
Status in apt source package in Disco:
In Progress
Bug description:
apt, starting with version 0.8.15, decodes target URLs of redirects,
but does not check them for newlines, allowing MiTM attackers (or
repository mirrors) to inject arbitrary headers into the result
returned to the main process.
If the URL embeds hashes of the supposed file, it can thus be used to
disable any validation of the downloaded file, as the fake hashes will
be prepended in front of the right hashes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions
More information about the foundations-bugs
mailing list