Your message dated Fri, 23 Sep 2011 00:44:55 +0200 with message-id <20110923004334.GA22638@debian.org> and subject line Re: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs has caused the Debian Bug report #642480, regarding apt-key uses gpg --list-sigs instead of --check-sigs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 642480: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apt-key uses gpg --list-sigs instead of --check-sigs
- From: Chris Frey <cdfrey@foursquare.net>
- Date: Thu, 22 Sep 2011 17:56:31 -0400
- Message-id: <[🔎] 20110922215631.GA30839@foursquare.net>
Subject: apt-key uses gpg --list-sigs instead of --check-sigs Package: apt Version: 0.8.10.3+squeeze1 Justification: root security hole Severity: critical Tags: security *** Please type your report below this line *** Georgi Guninski reported on Full Disclosure a potential bug in apt-key's use of gpg --list-sigs, when comparing keys to the master keyring in add_keys_with_verify_against_master_keyring(), revealing a potential MITM attack for adding keys. You can find the original emails here: http://marc.info/?l=full-disclosure&m=131668247124444&w=2 It is a legitimate bug, as far as I can tell, but could use confirmation. The original message is copied below. - Chris From: Georgi Guninski <guninski@guninski.com> To: full-disclosure@lists.grok.org.uk Date: Thu, 22 Sep 2011 12:07:08 +0300 Subject: owning ubuntu apt-key net-update (maybe apt-get update related) owning ubuntu apt-key net-update (maybe apt-get update related) in ubuntu 10.04 in /usr/bin/apt-key in add_keys_with_verify_against_master_keyring() if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import ADDED=1 to my knowledge --list-sigs doesn't do crypto verification, just looks for well formedness. it is trivial to generate a gpg key with key ID == $master_key: set gpg version to 3, set the lowest 64 bits of the RSA $n$ to the key ID, generate random high bits until one can trial factor $n$ (numerology is on your side), this is it. to reproduce: attached is ubuntu-archive-keyring.gpg. put it on http://A/ubuntu-archive-keyring.gpg make a copy of apt-key and set: ARCHIVE_KEYRING_URI=http://A/ubuntu-archive-keyring.gpg ^ this emulates MITM. do |./apt-key-new net-update| and check for new keys with |apt-key list| this might or might not be related with |apt-get update|. 10x. -- joro
--- End Message ---
--- Begin Message ---
- To: Chris Frey <cdfrey@foursquare.net>, 642480-close@bugs.debian.org
- Subject: Re: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
- From: Julian Andres Klode <jak@debian.org>
- Date: Fri, 23 Sep 2011 00:44:55 +0200
- Message-id: <20110923004334.GA22638@debian.org>
- In-reply-to: <[🔎] 20110922215631.GA30839@foursquare.net>
- References: <[🔎] 20110922215631.GA30839@foursquare.net>
On Thu, Sep 22, 2011 at 05:56:31PM -0400, Chris Frey wrote: > Subject: apt-key uses gpg --list-sigs instead of --check-sigs > Package: apt > Version: 0.8.10.3+squeeze1 > Justification: root security hole > Severity: critical > Tags: security > > *** Please type your report below this line *** > > Georgi Guninski reported on Full Disclosure a potential bug in apt-key's > use of gpg --list-sigs, when comparing keys to the master keyring in > add_keys_with_verify_against_master_keyring(), revealing a potential > MITM attack for adding keys. > > You can find the original emails here: > http://marc.info/?l=full-disclosure&m=131668247124444&w=2 > > It is a legitimate bug, as far as I can tell, but could use confirmation. It is a bug for Ubuntu. Debian's apt-key does not support net-update and is thus not affected. -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.Attachment: pgpYtJruVZBA0.pgp
Description: PGP signature
--- End Message ---