Your message dated Fri, 14 Feb 2014 19:34:12 +0100
with message-id <20140214183412.GA2298@crossbow>
and subject line Re: apt net-update does not check subkeys for collisions
has caused the Debian Bug report #677587,
regarding apt net-update does not check subkeys for collisions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
677587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677587
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 0.9.6
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
Marc Deslauriers. (LP: #1013128)
This is in response to http://seclists.org/fulldisclosure/2012/Jun/267.
It doesn't look like apt-key is directly expolitable (by chance) and
IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt
will push this into Debian, I am filing this for tracking purposes.
For more information and a bzr bundle of the patch, please see:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru apt-0.9.6ubuntu1/cmdline/apt-key apt-0.9.6ubuntu2/cmdline/apt-key
--- apt-0.9.6ubuntu1/cmdline/apt-key 2012-06-11 17:00:56.000000000 -0500
+++ apt-0.9.6ubuntu2/cmdline/apt-key 2012-06-14 11:51:01.000000000 -0500
@@ -50,18 +50,20 @@
# all keys that are exported must have a valid signature
# from a key in the $distro-master-keyring
add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
-
- for add_key in $add_keys; do
- # ensure there are no colisions LP: #857472
+ # ensure there are no colisions LP: #857472
+ for all_add_key in $all_add_keys; do
for master_key in $master_keys; do
- if [ "$add_key" = "$master_key" ]; then
- echo >&2 "Keyid collision for '$add_key' detected, operation aborted"
+ if [ "$all_add_key" = "$master_key" ]; then
+ echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
return 1
fi
done
-
+ done
+
+ for add_key in $add_keys; do
# export the add keyring one-by-one
rm -f $TMP_KEYRING
$GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
diff -Nru apt-0.9.6ubuntu1/debian/changelog apt-0.9.6ubuntu2/debian/changelog
Binary files /tmp/qaFS9FADpq/apt-0.9.6ubuntu1/test/integration/exploid-keyring-with-dupe-subkeys.pub and /tmp/h2XtD7JdKl/apt-0.9.6ubuntu2/test/integration/exploid-keyring-with-dupe-subkeys.pub differ
diff -Nru apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update
--- apt-0.9.6ubuntu1/test/integration/test-apt-key-net-update 2012-03-31 15:45:56.000000000 -0500
+++ apt-0.9.6ubuntu2/test/integration/test-apt-key-net-update 2012-06-14 11:51:01.000000000 -0500
@@ -49,6 +49,26 @@
msgpass
fi
+
+# test another possible attack vector using subkeys (LP: #1013128)
+msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
+ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+ msgfail
+else
+ msgpass
+fi
+
+# ensure the keyring is still empty
+gpg_out=$($GPG --list-keys)
+msgtest "Test if keyring is empty"
+if [ -n "" ]; then
+ msgfail
+else
+ msgpass
+fi
+
+
# test good keyring and ensure we get no errors
ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
@@ -66,3 +86,4 @@
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdim...@ubuntu.com>
' $GPG --list-keys
+
--- End Message ---
--- Begin Message ---
Version: 0.9.14
Hi,
(it was probably a bit earlier - but the difference is non-existent as
Debian doesn't have net-update support)
> IIRC Debian doesn't use apt-key net-update. While I expect Michael Vogt
> will push this into Debian, I am filing this for tracking purposes.
So for tracking purposes lets close this one now as the code is exactly
the same between Debian and Ubuntu in the meantime and disabled by
default. Debian isn't even using it at all as there doesn't exist the
notion of a 'master key' here. Closing as "done".
Best regards
David Kalnischkies
signature.asc
Description: Digital signature
--- End Message ---
