Ubuntu
apt package

apt-get source fails to warn on unauthenticated packages

Bug #1329274 reported by Michael Vogt on 2014-06-12

264

This bug affects 2 people

	Status	Importance	Assigned to
APT	Fix Released	Unknown	debbugs #749795
apt (Ubuntu)	Fix Released	High	Michael Vogt
Lucid	Fix Released	Medium	Marc Deslauriers
Precise	Fix Released	Medium	Marc Deslauriers
Saucy	Fix Released	Medium	Marc Deslauriers
Trusty	Fix Released	Medium	Marc Deslauriers
Utopic	Fix Released	High	Michael Vogt

Bug Description

apt-get source foo will not warn if the repository that foo belongs to has no signature attached.

It should fails in this case - this is CVE-2014-0478

See original description

Tags:

Related branches

lp://staging/ubuntu/lucid-security/apt

lp://staging/ubuntu/precise-security/apt

lp://staging/ubuntu/saucy-security/apt

lp://staging/ubuntu/trusty-security/apt

CVE References

2014-0478

Michael Vogt (mvo) on 2014-06-12

Changed in apt (Ubuntu):
importance:	Undecided → High
assignee:	nobody → Michael Vogt (mvo)
status:	New → In Progress
information type:	Public → Public Security
description:	updated

Bug Watch Updater (bug-watch-updater) on 2014-06-12

Changed in apt:
status:	Unknown → New

Revision history for this message

Michael Vogt (mvo) wrote on 2014-06-12:

trusty debdiff Edit (4.3 KiB, text/plain)

Revision history for this message

Michael Vogt (mvo) wrote on 2014-06-12:

debdiff for saucy Edit (6.0 KiB, text/plain)

Revision history for this message

Michael Vogt (mvo) wrote on 2014-06-12:

diff for precise Edit (6.9 KiB, text/plain)

Ubuntu Foundations Team Bug Bot (crichton) on 2014-06-12

tags:

added: patch

Revision history for this message

Michael Vogt (mvo) wrote on 2014-06-12:

debdiff for lucid Edit (3.7 KiB, text/plain)

Bug Watch Updater (bug-watch-updater) on 2014-06-13

Changed in apt:
status:	New → Fix Released

Marc Deslauriers (mdeslaur) on 2014-06-13

Changed in apt (Ubuntu Lucid):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Saucy):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Lucid):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in apt (Ubuntu Precise):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in apt (Ubuntu Saucy):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in apt (Ubuntu Trusty):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-06-17:

This bug was fixed in the package apt - 0.9.9.1~ubuntu3.2

---------------
apt (0.9.9.1~ubuntu3.2) saucy-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc, added regression
      test to test/integration/test-apt-get-source-authenticated,
      test/integration/framework.
    - CVE-2014-0478
-- Michael Vogt <email address hidden> Thu, 12 Jun 2014 14:02:26 +0200

Changed in apt (Ubuntu Saucy):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-06-17:

This bug was fixed in the package apt - 1.0.1ubuntu2.1

---------------
apt (1.0.1ubuntu2.1) trusty-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in apt-private/private-download.*,
      cmdline/apt-get.cc, added regression test to
      test/integration/test-apt-get-source-authenticated.
    - CVE-2014-0478
-- Michael Vogt <email address hidden> Thu, 12 Jun 2014 13:57:38 +0200

Changed in apt (Ubuntu Trusty):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-06-17:

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.17

---------------
apt (0.8.16~exp12ubuntu10.17) precise-security; urgency=low

Changed in apt (Ubuntu Precise):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-06-17:

This bug was fixed in the package apt - 0.7.25.3ubuntu9.15

---------------
apt (0.7.25.3ubuntu9.15) lucid-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc.
    - CVE-2014-0478
-- Michael Vogt <email address hidden> Thu, 12 Jun 2014 15:10:43 +0200

Changed in apt (Ubuntu Lucid):
status:	Confirmed → Fix Released

Revision history for this message

TheoB (theo-y) wrote on 2014-06-18:

#10

I don't know why I land up here. The PC tells me there are updates and then it refuses to install the updates. I'm told to check my
connection but my connection is solid !!!

Thank you
Theo

Michael Vogt (mvo) on 2014-06-19

Changed in apt (Ubuntu Utopic):
status:	In Progress → Fix Released

Revision history for this message

Forest Bond (forest-bond) wrote on 2014-07-23:

#11

Question: Why are --force-yes and --assume-yes not honored as they are when checking authenticity of binaries?

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-07-23:

#12

@ Forest Bond: Please file a new bug, this bug is closed.

Revision history for this message

Forest Bond (forest-bond) wrote on 2014-07-23:

#13

Or at least just --force-yes. --assume-yes is not sufficient to bypass the authenticity check without a prompt. I gather there is a desire to avoid prompting.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #749795
[done grave security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuapt package

apt-get source fails to warn on unauthenticated packages

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
apt package