Treats partial InRelease signature as verifying the entire file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Natty |
Fix Released
|
Critical
|
Unassigned | ||
Oneiric |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Binary package hint: apt
apt's inline signature verification for InRelease is broken: it treats any signature in the file as validating the whole file. It's also fairly liberal when parsing the content of such files, apparently ignoring everything after the first blank line.
Combined, these two behaviours allow an attacker to turn an arbitrary Release file into a valid, signed InRelease file by appending a blank line and a valid inline signed message from a trusted key. I've tested by appending http://
CVE References
Changed in apt (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Critical |
visibility: | private → public |
David was kind enough to provide a patch for this bug.
Apt will now ensure that the InRelease file starts with a "-----BEGIN PGP SIGNED MESSAGE-----" header.
Apt already discards everything after the second ^---- line in a InRelease file. So this ensures that only the part between
header line and tail is used. The way I read rfc2440 is that we can be sure that gpgv checks this message. This still allows adding
junk after the tail pgp lines, but that does not matter as apt discards it. Ideally we would use gpg --output, but unfortunately gpgv does not provide this option.
Alternatively we could simply disable InRelease entirely in natty (its not used currently by ubuntu).