Bug#642480: marked as done (apt-key uses gpg --list-sigs instead of --check-sigs)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#642480: marked as done (apt-key uses gpg --list-sigs instead of --check-sigs)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 22 Sep 2011 22:48:03 +0000
Message-id: <[🔎] handler.642480.D642480.13167315086979.ackdone@bugs.debian.org>
References: <20110923004334.GA22638@debian.org> <[🔎] 20110922215631.GA30839@foursquare.net>

Your message dated Fri, 23 Sep 2011 00:44:55 +0200
with message-id <20110923004334.GA22638@debian.org>
and subject line Re: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
has caused the Debian Bug report #642480,
regarding apt-key uses gpg --list-sigs instead of --check-sigs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
642480: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: apt-key uses gpg --list-sigs instead of --check-sigs
From: Chris Frey <cdfrey@foursquare.net>
Date: Thu, 22 Sep 2011 17:56:31 -0400
Message-id: <[🔎] 20110922215631.GA30839@foursquare.net>

Subject: apt-key uses gpg --list-sigs instead of --check-sigs
Package: apt
Version: 0.8.10.3+squeeze1
Justification: root security hole
Severity: critical
Tags: security

*** Please type your report below this line ***

Georgi Guninski reported on Full Disclosure a potential bug in apt-key's
use of gpg --list-sigs, when comparing keys to the master keyring in
add_keys_with_verify_against_master_keyring(), revealing a potential
MITM attack for adding keys.

You can find the original emails here:
http://marc.info/?l=full-disclosure&m=131668247124444&w=2

It is a legitimate bug, as far as I can tell, but could use confirmation.

The original message is copied below.
- Chris



  From: Georgi Guninski <guninski@guninski.com>
  To: full-disclosure@lists.grok.org.uk
  Date: Thu, 22 Sep 2011 12:07:08 +0300
  Subject: owning ubuntu apt-key net-update (maybe apt-get
          update related)

  owning ubuntu apt-key net-update (maybe apt-get update related)

  in ubuntu 10.04 in /usr/bin/apt-key in
  add_keys_with_verify_against_master_keyring()

  if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep
  ^sig | cut -d: -f5 | grep -q $master_key; then
                  $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export
  $add_key | $GPG --import
                  ADDED=1


  to my knowledge --list-sigs doesn't do crypto verification, just looks for well
  formedness.

  it is trivial to generate a gpg key with key ID == $master_key:
  set gpg version to 3, set the lowest 64 bits of the RSA $n$ to the key ID,
  generate random high bits until one can trial factor $n$ (numerology is on your
  side), this is it.

  to reproduce:
  attached is ubuntu-archive-keyring.gpg.
  put it on http://A/ubuntu-archive-keyring.gpg
  make a copy of apt-key and set:
  ARCHIVE_KEYRING_URI=http://A/ubuntu-archive-keyring.gpg
  ^ this emulates MITM.
  do |./apt-key-new net-update| and check for new keys with |apt-key list|

  this might or might not be related with |apt-get update|.

  10x.

  -- 
  joro

--- End Message ---

--- Begin Message ---

To: Chris Frey <cdfrey@foursquare.net>, 642480-close@bugs.debian.org

Subject: Re: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs

From: Julian Andres Klode <jak@debian.org>

Date: Fri, 23 Sep 2011 00:44:55 +0200

Message-id: <20110923004334.GA22638@debian.org>

In-reply-to: <[🔎] 20110922215631.GA30839@foursquare.net>

References: <[🔎] 20110922215631.GA30839@foursquare.net>
On Thu, Sep 22, 2011 at 05:56:31PM -0400, Chris Frey wrote:
> Subject: apt-key uses gpg --list-sigs instead of --check-sigs
> Package: apt
> Version: 0.8.10.3+squeeze1
> Justification: root security hole
> Severity: critical
> Tags: security
> 
> *** Please type your report below this line ***
> 
> Georgi Guninski reported on Full Disclosure a potential bug in apt-key's
> use of gpg --list-sigs, when comparing keys to the master keyring in
> add_keys_with_verify_against_master_keyring(), revealing a potential
> MITM attack for adding keys.
> 
> You can find the original emails here:
> http://marc.info/?l=full-disclosure&m=131668247124444&w=2
> 
> It is a legitimate bug, as far as I can tell, but could use confirmation.
It is a bug for Ubuntu. Debian's apt-key does not support net-update and
is thus not affected.


-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Attachment: pgpYtJruVZBA0.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
  - From: Chris Frey <cdfrey@foursquare.net>

Prev by Date: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
Next by Date: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
Previous by thread: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
Next by thread: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
Index(es):
- Date
- Thread