Bug#677587: apt net-update does not check subkeys for collisions
Package: apt
Version: 0.9.6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
Marc Deslauriers. (LP: #1013128)
This is in response to http://seclists.org/fulldisclosure/2012/Jun/267.
It doesn't look like apt-key is directly expolitable (by chance) and
IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt
will push this into Debian, I am filing this for tracking purposes.
For more information and a bzr bundle of the patch, please see:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru apt-0.9.6ubuntu1/cmdline/apt-key apt-0.9.6ubuntu2/cmdline/apt-key
--- apt-0.9.6ubuntu1/cmdline/apt-key 2012-06-11 17:00:56.000000000 -0500
+++ apt-0.9.6ubuntu2/cmdline/apt-key 2012-06-14 11:51:01.000000000 -0500
@@ -50,18 +50,20 @@
# all keys that are exported must have a valid signature
# from a key in the $distro-master-keyring
add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
-
- for add_key in $add_keys; do
- # ensure there are no colisions LP: #857472
+ # ensure there are no colisions LP: #857472
+ for all_add_key in $all_add_keys; do
for master_key in $master_keys; do
- if [ "$add_key" = "$master_key" ]; then
- echo >&2 "Keyid collision for '$add_key' detected, operation aborted"
+ if [ "$all_add_key" = "$master_key" ]; then
+ echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
return 1
fi
done
-
+ done
+
+ for add_key in $add_keys; do
# export the add keyring one-by-one
rm -f $TMP_KEYRING
$GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
diff -Nru apt-0.9.6ubuntu1/debian/changelog apt-0.9.6ubuntu2/debian/changelog
Binary files /tmp/qaFS9FADpq/apt-0.9.6ubuntu1/test/integration/exploid-keyring-with-dupe-subkeys.pub and /tmp/h2XtD7JdKl/apt-0.9.6ubuntu2/test/integration/exploid-keyring-with-dupe-subkeys.pub differ
diff -Nru apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update
--- apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update 2012-03-31 15:45:56.000000000 -0500
+++ apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update 2012-06-14 11:51:01.000000000 -0500
@@ -49,6 +49,26 @@
msgpass
fi
+
+# test another possible attack vector using subkeys (LP: #1013128)
+msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
+ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+ msgfail
+else
+ msgpass
+fi
+
+# ensure the keyring is still empty
+gpg_out=$($GPG --list-keys)
+msgtest "Test if keyring is empty"
+if [ -n "" ]; then
+ msgfail
+else
+ msgpass
+fi
+
+
# test good keyring and ensure we get no errors
ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
@@ -66,3 +86,4 @@
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
' $GPG --list-keys
+
Reply to: