[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#677587: marked as done (apt net-update does not check subkeys for collisions)

Your message dated Fri, 14 Feb 2014 19:34:12 +0100
with message-id <20140214183412.GA2298@crossbow>
and subject line Re: apt net-update does not check subkeys for collisions
has caused the Debian Bug report #677587,
regarding apt net-update does not check subkeys for collisions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
677587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677587
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 0.9.6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
    Marc Deslauriers. (LP: #1013128)

This is in response to http://seclists.org/fulldisclosure/2012/Jun/267.
It doesn't look like apt-key is directly expolitable (by chance) and
IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt
will push this into Debian, I am filing this for tracking purposes.

For more information and a bzr bundle of the patch, please see:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru apt-0.9.6ubuntu1/cmdline/apt-key apt-0.9.6ubuntu2/cmdline/apt-key
--- apt-0.9.6ubuntu1/cmdline/apt-key	2012-06-11 17:00:56.000000000 -0500
+++ apt-0.9.6ubuntu2/cmdline/apt-key	2012-06-14 11:51:01.000000000 -0500
@@ -50,18 +50,20 @@
     #   all keys that are exported must have a valid signature
     #   from a key in the $distro-master-keyring
     add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+    all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
     master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
-    
-    for add_key in $add_keys; do
 
-        # ensure there are no colisions LP: #857472
+    # ensure there are no colisions LP: #857472
+    for all_add_key in $all_add_keys; do
 	for master_key in $master_keys; do
-            if [ "$add_key" = "$master_key" ]; then
-                echo >&2 "Keyid collision for '$add_key' detected, operation aborted"
+            if [ "$all_add_key" = "$master_key" ]; then
+                echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
                 return 1
             fi
         done
-
+    done
+    
+    for add_key in $add_keys; do
         # export the add keyring one-by-one
         rm -f $TMP_KEYRING
         $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key 
diff -Nru apt-0.9.6ubuntu1/debian/changelog apt-0.9.6ubuntu2/debian/changelog
Binary files /tmp/qaFS9FADpq/apt-0.9.6ubuntu1/test/integration/exploid-keyring-with-dupe-subkeys.pub and /tmp/h2XtD7JdKl/apt-0.9.6ubuntu2/test/integration/exploid-keyring-with-dupe-subkeys.pub differ
diff -Nru apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update
--- apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update	2012-03-31 15:45:56.000000000 -0500
+++ apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update	2012-06-14 11:51:01.000000000 -0500
@@ -49,6 +49,26 @@
     msgpass
 fi
 
+
+# test another possible attack vector using subkeys (LP: #1013128)
+msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
+ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+    msgfail
+else
+    msgpass
+fi
+
+# ensure the keyring is still empty
+gpg_out=$($GPG --list-keys)
+msgtest "Test if keyring is empty"
+if [ -n "" ]; then
+    msgfail
+else
+    msgpass
+fi
+
+
 # test good keyring and ensure we get no errors
 ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
 if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
@@ -66,3 +86,4 @@
 pub   1024D/FBB75451 2004-12-30
 uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
 ' $GPG --list-keys
+

--- End Message ---
--- Begin Message --- 
Version: 0.9.14

Hi,

(it was probably a bit earlier - but the difference is non-existent as
 Debian doesn't have net-update support)

> IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt
> will push this into Debian, I am filing this for tracking purposes.

So for tracking purposes lets close this one now as the code is exactly
the same between Debian and Ubuntu in the meantime and disabled by
default. Debian isn't even using it at all as there doesn't exist the
notion of a 'master key' here. Closing as "done".


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: