[Bug 857472] Re: net-update verifcation checking insecure
** Tags added: id-5d106c1d683546484e9cb04e -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
** Changed in: apt (Ubuntu) Milestone: ubuntu-11.10 => None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
This bug was fixed in the package apt - 0.8.16~exp5ubuntu13 --- apt (0.8.16~exp5ubuntu13) oneiric; urgency=low [ Adam Conrad ] * On armel, call update-apt-xapian-index with '-u' to keep the CPU and I/O usage low. We would do this on all arches, but there's a regression risk here, but that's better than killing slow systems. [ Michael Vogt ] * cmdline/apt-key: - fix apt-key net-update, thanks to Marc Deslauriers and Adam Conrad for the code review (LP: #857472) -- Michael VogtThu, 06 Oct 2011 16:14:41 +0200 ** Changed in: apt (Ubuntu Oneiric) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
** Branch linked: lp:apt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
After discussing some improvements with Michael, I can't think of any issues with r1935 right now. sbeattie is looking at it also. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
** Branch linked: lp:~mvo/apt/apt-key-master-keyring-fix2 ** Changed in: apt (Ubuntu Oneiric) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
** Changed in: apt (Ubuntu Oneiric) Milestone: None => ubuntu-11.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
Well, we could do what Steve originally suggested: export each key from the downloaded keyring one by one, validate it, and import it into a new keyring. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
Thats a very good point Marc. I get the feeling the other approach (providing a signed version of the keyrigng or a signature file for it) is actually more robust and we should go with that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
There is also another scenario we should test for. If we decide to add a key to the downloaded keyring, an attacker could then add a duplicate key id for the new key in the spoofed keyring. I'm not sure what gpg would do in that scenario, which key would get parsed first, etc. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
After discussion with mvo on IRC I think my objection was incorrect, so I withdraw it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
Hello Colin, thanks for your comment on this. I'm not sure I quite follow the comment, the code is meant to check the following: for every key we got from the network, check if the same keyid is also in the master-keyring if that is the case -> abort as this clearly indicates that something fishy is going on AFAICS this closes the attack vector described in the full-disclosure list as the attacker will not be able to "shadow" our master-key-id anymore with the key id duplication. For am I missing something and/or made a mistake in the code so that I actually check for the wrong thing? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
I'm a little worried by the assumption here that adding the key size check is sufficient. It's certainly an improvement, but key ID collisions are clearly possible even without this - they're just more work. The key ID isn't *that* long, and it is still many orders of magnitude easier to construct an attack that involves a key ID collision than to brute-force the key itself. Can somebody explain to me how this approach defends against such an attack? ** Changed in: apt (Ubuntu Oneiric) Assignee: (unassigned) => Michael Vogt (mvo) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
** Tags added: rls-mgr-o-tracking -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
** Also affects: apt (Ubuntu Oneiric) Importance: Critical Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
The attachment "Here is a outline of a patch for this, including a test" of this bug report has been identified as being a patch. The ubuntu- reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report. [This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 857472] Re: net-update verifcation checking insecure
I've made this bug public, so more eyes can look at it. ** Visibility changed to: Public ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
