| 2009-04-06 04:21:59 |
Michael Casadevall |
bug |
|
|
added bug |
| 2009-04-06 04:22:33 |
Michael Casadevall |
nominated for series |
|
Ubuntu Dapper |
|
| 2009-04-06 04:22:33 |
Michael Casadevall |
nominated for series |
|
Ubuntu Gutsy |
|
| 2009-04-06 04:22:33 |
Michael Casadevall |
nominated for series |
|
Ubuntu Hardy |
|
| 2009-04-06 04:22:33 |
Michael Casadevall |
nominated for series |
|
Ubuntu Jaunty |
|
| 2009-04-06 04:22:33 |
Michael Casadevall |
nominated for series |
|
Ubuntu Intrepid |
|
| 2009-04-06 04:23:04 |
Michael Casadevall |
apt (Ubuntu): importance |
Undecided |
Medium |
|
| 2009-04-06 04:23:04 |
Michael Casadevall |
apt (Ubuntu): assignee |
|
mcasadevall |
|
| 2009-04-06 04:23:04 |
Michael Casadevall |
apt (Ubuntu): milestone |
|
ubuntu-9.04 |
|
| 2009-04-06 04:24:31 |
Michael Casadevall |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433091 |
|
| 2009-04-06 04:24:31 |
Michael Casadevall |
bug task added |
|
apt (Debian) |
|
| 2009-04-06 04:25:45 |
Michael Casadevall |
description |
apt-get does not properly handle revoked or expired key signatures since it internally uses gpgv vs gpg to check signatures, and does not properly check for the error codes. It uses VALIDSIG to determine if a signature is valid, but this code can be given if the signature itself has expired, the signing key has expired, or the key has been revoked.
Steps to Reproduce:
1. Add a source with expired or revoked key to sources.list (or set the system clock far enough that a key appears to be expired)
2. Run apt-get update
3. No warning message is printed from apt-get.
I'm working on a bazaar branch to resolve this now by properly using gpg vs gpgv and checking the status messages from GPG. |
apt-get does not properly handle revoked or expired key signatures since it internally uses gpgv vs gpg to check signatures, and does not properly check for the error codes. It uses VALIDSIG to determine if a signature is valid, but this code can be given if the signature itself has expired, the signing key has expired, or the key has been revoked.
Steps to Reproduce:
1. Add a source with expired or revoked key to sources.list (or set the system clock far enough that a key appears to be expired)
2. Run apt-get update
3. No warning message is printed from apt-get.
I'm working on a bazaar branch to resolve this now by properly using gpg vs gpgv and checking the status messages from GPG.
The Debian bug linked does not include that revoked signatures are a problem. |
|
| 2009-04-06 04:25:45 |
Michael Casadevall |
tags |
|
apt gpg security |
|
| 2009-04-06 05:13:57 |
Kees Cook |
bug |
|
|
added subscriber Michael Vogt |
| 2009-04-06 13:03:13 |
Marc Deslauriers |
apt (Ubuntu): status |
New |
Confirmed |
|
| 2009-04-06 14:30:43 |
Michael Casadevall |
summary |
[SECURITY] APT does not properly hand expired or revoked key signatures |
[SECURITY] APT does not properly handle expired or revoked key signatures |
|
| 2009-04-06 18:23:55 |
Michael Casadevall |
branch linked |
|
lp:~mcasadevall/apt/debian-expire-revoked-gpg-keys |
|
| 2009-04-06 20:59:45 |
Kees Cook |
summary |
[SECURITY] APT does not properly handle expired or revoked key signatures |
APT does not properly handle expired or revoked key signatures |
|
| 2009-04-06 21:11:08 |
Michael Vogt |
attachment added |
|
crude test keys/sigs that I used to test in a chroot http://launchpadlibrarian.net/24907149/sig-test.tgz |
|
| 2009-04-07 12:23:15 |
Michael Vogt |
attachment added |
|
proposed fix http://launchpadlibrarian.net/24931982/gpgv.diff |
|
| 2009-04-09 21:37:41 |
Jamie Strandboge |
bug task added |
|
apt (Ubuntu Dapper) |
|
| 2009-04-09 21:37:52 |
Jamie Strandboge |
bug task added |
|
apt (Ubuntu Gutsy) |
|
| 2009-04-09 21:38:04 |
Jamie Strandboge |
bug task added |
|
apt (Ubuntu Hardy) |
|
| 2009-04-09 21:38:13 |
Jamie Strandboge |
bug task added |
|
apt (Ubuntu Jaunty) |
|
| 2009-04-09 21:38:32 |
Jamie Strandboge |
bug task added |
|
apt (Ubuntu Intrepid) |
|
| 2009-04-09 21:39:01 |
Jamie Strandboge |
apt (Ubuntu Dapper): status |
New |
Confirmed |
|
| 2009-04-09 21:39:03 |
Jamie Strandboge |
apt (Ubuntu Dapper): importance |
Undecided |
Medium |
|
| 2009-04-09 21:39:04 |
Jamie Strandboge |
apt (Ubuntu Gutsy): status |
New |
Confirmed |
|
| 2009-04-09 21:39:06 |
Jamie Strandboge |
apt (Ubuntu Gutsy): importance |
Undecided |
Medium |
|
| 2009-04-09 21:39:07 |
Jamie Strandboge |
apt (Ubuntu Hardy): status |
New |
Confirmed |
|
| 2009-04-09 21:39:08 |
Jamie Strandboge |
apt (Ubuntu Hardy): importance |
Undecided |
Medium |
|
| 2009-04-09 21:39:10 |
Jamie Strandboge |
apt (Ubuntu Intrepid): status |
New |
Confirmed |
|
| 2009-04-09 21:39:11 |
Jamie Strandboge |
apt (Ubuntu Intrepid): importance |
Undecided |
Medium |
|
| 2009-04-10 22:33:57 |
Jamie Strandboge |
attachment added |
|
desk_check.txt http://launchpadlibrarian.net/25225359/desk_check.txt |
|
| 2009-04-10 22:34:42 |
Jamie Strandboge |
apt (Ubuntu Dapper): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2009-04-10 22:34:43 |
Jamie Strandboge |
apt (Ubuntu Gutsy): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2009-04-10 22:34:45 |
Jamie Strandboge |
apt (Ubuntu Hardy): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2009-04-10 22:34:46 |
Jamie Strandboge |
apt (Ubuntu Intrepid): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2009-04-10 23:01:46 |
Jamie Strandboge |
attachment removed |
desk_check.txt http://launchpadlibrarian.net/25225359/desk_check.txt |
|
|
| 2009-04-10 23:03:03 |
Jamie Strandboge |
attachment added |
|
desk_check.txt http://launchpadlibrarian.net/25226047/desk_check.txt |
|
| 2009-04-17 04:20:16 |
Launchpad Janitor |
apt (Ubuntu Jaunty): status |
Confirmed |
Fix Released |
|
| 2009-04-17 16:05:07 |
Jamie Strandboge |
apt (Ubuntu Gutsy): status |
Confirmed |
Won't Fix |
|
| 2009-04-17 16:05:44 |
Jamie Strandboge |
apt (Ubuntu Dapper): status |
Confirmed |
Fix Committed |
|
| 2009-04-17 16:05:48 |
Jamie Strandboge |
apt (Ubuntu Hardy): status |
Confirmed |
Fix Committed |
|
| 2009-04-17 16:05:49 |
Jamie Strandboge |
apt (Ubuntu Intrepid): status |
Confirmed |
Fix Committed |
|
| 2009-04-17 16:14:36 |
Jamie Strandboge |
visibility |
private |
public |
|
| 2009-04-20 21:40:56 |
Jamie Strandboge |
apt (Ubuntu Dapper): status |
Fix Committed |
Fix Released |
|
| 2009-04-20 21:42:11 |
Jamie Strandboge |
apt (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2009-04-20 21:42:15 |
Jamie Strandboge |
apt (Ubuntu Intrepid): status |
Fix Committed |
Fix Released |
|
| 2009-04-26 15:44:20 |
Thijs Kinkhorst |
cve linked |
|
2009-1358 |
|
| 2009-12-05 16:22:27 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/apt |
|
| 2011-08-11 03:22:08 |
Bug Watch Updater |
apt (Debian): status |
Unknown |
Fix Released |
|
