On Thu, Sep 22, 2011 at 23:56, Chris Frey <cdf...@foursquare.net> wrote: > Georgi Guninski reported on Full Disclosure a potential bug in apt-key's > use of gpg --list-sigs, when comparing keys to the master keyring in > add_keys_with_verify_against_master_keyring(), revealing a potential > MITM attack for adding keys.
While the bug itself is valid, it doesn't apply to stock debian as it doesn't have ARCHIVE_KEYRING_URI set, so the result of running 'apt-key net-update' on a debian box is: ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set The only distribution i know of who enables this feature (as it was developed by them) is Ubuntu which has immediately reacted by commenting the mentioned variable out until a proper fix exists [0]. Note through that derivatives of ubuntu might use 'their' apt with the feature enabled (which is depending on their release model useless/strange as their 'replacement' archive-keyring will properly not be signed by the ubuntu-master-key…) so these might be effected, too. Or in short: $ grep '^[^#]*ARCHIVE_KEYRING_URI[ ]*=' /usr/bin/apt-key ARCHIVE_KEYRING_URI="" If you have the same output you are save. (I leave it as an exercise for the reader to come up with more complicated regexes to check for the value - for debian this one is already overkill…) Best regards David Kalnischkies [0] https://bugs.launchpad.net/ubuntu/+source/apt/+bug/856489 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
