apt-get source fails to warn on unauthenticated packages

Bug #1329274 reported by Michael Vogt
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
APT
Fix Released
Unknown
apt (Ubuntu)
Fix Released
High
Michael Vogt
Lucid
Fix Released
Medium
Marc Deslauriers
Precise
Fix Released
Medium
Marc Deslauriers
Saucy
Fix Released
Medium
Marc Deslauriers
Trusty
Fix Released
Medium
Marc Deslauriers
Utopic
Fix Released
High
Michael Vogt

Bug Description

apt-get source foo will not warn if the repository that foo belongs to has no signature attached.

It should fails in this case - this is CVE-2014-0478

Tags: patch
Michael Vogt (mvo)
Changed in apt (Ubuntu):
importance: Undecided → High
assignee: nobody → Michael Vogt (mvo)
status: New → In Progress
information type: Public → Public Security
description: updated
Changed in apt:
status: Unknown → New
Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :
tags: added: patch
Revision history for this message
Michael Vogt (mvo) wrote :
Changed in apt:
status: New → Fix Released
Changed in apt (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
Changed in apt (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Changed in apt (Ubuntu Saucy):
status: New → Confirmed
importance: Undecided → Medium
Changed in apt (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.9.1~ubuntu3.2

---------------
apt (0.9.9.1~ubuntu3.2) saucy-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc, added regression
      test to test/integration/test-apt-get-source-authenticated,
      test/integration/framework.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 14:02:26 +0200

Changed in apt (Ubuntu Saucy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.0.1ubuntu2.1

---------------
apt (1.0.1ubuntu2.1) trusty-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in apt-private/private-download.*,
      cmdline/apt-get.cc, added regression test to
      test/integration/test-apt-get-source-authenticated.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 13:57:38 +0200

Changed in apt (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.17

---------------
apt (0.8.16~exp12ubuntu10.17) precise-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc, added regression
      test to test/integration/test-apt-get-source-authenticated,
      test/integration/framework.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 14:12:19 +0200

Changed in apt (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.15

---------------
apt (0.7.25.3ubuntu9.15) lucid-security; urgency=low

  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
    - warn if not authenticated in cmdline/apt-get.cc.
    - CVE-2014-0478
 -- Michael Vogt <email address hidden> Thu, 12 Jun 2014 15:10:43 +0200

Changed in apt (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
TheoB (theo-y) wrote :

I don't know why I land up here. The PC tells me there are updates and then it refuses to install the updates. I'm told to check my
connection but my connection is solid !!!

Thank you
Theo

Michael Vogt (mvo)
Changed in apt (Ubuntu Utopic):
status: In Progress → Fix Released
Revision history for this message
Forest Bond (forest-bond) wrote :

Question: Why are --force-yes and --assume-yes not honored as they are when checking authenticity of binaries?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@ Forest Bond: Please file a new bug, this bug is closed.

Revision history for this message
Forest Bond (forest-bond) wrote :

Or at least just --force-yes. --assume-yes is not sufficient to bypass the authenticity check without a prompt. I gather there is a desire to avoid prompting.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.