Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
Package: apt
Version: 0.9.7.9+deb7u1
Tags: security
When running `apt-get update`, I noticed that it couldn't update some of the lists because of invalid signatures (BADSIG). This happens most frequently when `Release` files don't correspond to `Release.gpg`. I thought that it might be some caching issue, so I removed all files from `/var/lib/apt/lists/partial`, and the problem disappeared.
I think that this should happen automatically. Some wrong data might get cached for various reasons, and it's wrong if manual intervention is required to make apt-get work again. I think that in case of verification errors, such as bad signature, hash mismatch, expired Release file, etc, apt-get should download all files that may cause the error without using cached data. For example, in case of hash mismatch for a list file it should download both that file and the Release file with its hash, as the error can be caused by any of them. If Release file is re-downloaded, Release.gpg should be re-downloaded too, and the signature should be re-checked.
Bottom line: wrong data in the (unverified) cache should not prevent apt-get from working.
Marking this as a security issue because an attacker can poison cache just once to prevent unattended-upgrade from working.
Reply to: