Your message dated Fri, 14 Feb 2014 19:34:12 +0100 with message-id <20140214183412.GA2298@crossbow> and subject line Re: apt net-update does not check subkeys for collisions has caused the Debian Bug report #677587, regarding apt net-update does not check subkeys for collisions to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 677587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677587 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt net-update does not check subkeys for collisions
- From: Jamie Strandboge <jamie@ubuntu.com>
- Date: Thu, 14 Jun 2012 21:13:16 -0500
- Message-id: <20120615021316.28926.92441.reportbug@localhost6>
Package: apt Version: 0.9.6 Severity: normal Tags: patch User: ubuntu-devel@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to Marc Deslauriers. (LP: #1013128) This is in response to http://seclists.org/fulldisclosure/2012/Jun/267. It doesn't look like apt-key is directly expolitable (by chance) and IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt will push this into Debian, I am filing this for tracking purposes. For more information and a bzr bundle of the patch, please see: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -Nru apt-0.9.6ubuntu1/cmdline/apt-key apt-0.9.6ubuntu2/cmdline/apt-key --- apt-0.9.6ubuntu1/cmdline/apt-key 2012-06-11 17:00:56.000000000 -0500 +++ apt-0.9.6ubuntu2/cmdline/apt-key 2012-06-14 11:51:01.000000000 -0500 @@ -50,18 +50,20 @@ # all keys that are exported must have a valid signature # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - - for add_key in $add_keys; do - # ensure there are no colisions LP: #857472 + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do for master_key in $master_keys; do - if [ "$add_key" = "$master_key" ]; then - echo >&2 "Keyid collision for '$add_key' detected, operation aborted" + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" return 1 fi done - + done + + for add_key in $add_keys; do # export the add keyring one-by-one rm -f $TMP_KEYRING $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key diff -Nru apt-0.9.6ubuntu1/debian/changelog apt-0.9.6ubuntu2/debian/changelog Binary files /tmp/qaFS9FADpq/apt-0.9.6ubuntu1/test/integration/exploid-keyring-with-dupe-subkeys.pub and /tmp/h2XtD7JdKl/apt-0.9.6ubuntu2/test/integration/exploid-keyring-with-dupe-subkeys.pub differ diff -Nru apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update --- apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update 2012-03-31 15:45:56.000000000 -0500 +++ apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update 2012-06-14 11:51:01.000000000 -0500 @@ -49,6 +49,26 @@ msgpass fi + +# test another possible attack vector using subkeys (LP: #1013128) +msgtest "add_keys_with_verify_against_master_keyring with subkey attack" +ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + # test good keyring and ensure we get no errors ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then @@ -66,3 +86,4 @@ pub 1024D/FBB75451 2004-12-30 uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com> ' $GPG --list-keys +
--- End Message ---
--- Begin Message ---
- To: 677587-done@bugs.debian.org
- Subject: Re: apt net-update does not check subkeys for collisions
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 14 Feb 2014 19:34:12 +0100
- Message-id: <20140214183412.GA2298@crossbow>
Version: 0.9.14 Hi, (it was probably a bit earlier - but the difference is non-existent as Debian doesn't have net-update support) > IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt > will push this into Debian, I am filing this for tracking purposes. So for tracking purposes lets close this one now as the code is exactly the same between Debian and Ubuntu in the meantime and disabled by default. Debian isn't even using it at all as there doesn't exist the notion of a 'master key' here. Closing as "done". Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---