Bug 497057 (CVE-2009-1358)
Summary: | CVE-2009-1358 apt: incorrect gpg exit status checking when verifying repository signature | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Dridi Boukelmoune <dridi.boukelmoune> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | axel.thimm, security-response-team, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1358 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-26 08:01:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2009-04-22 08:09:07 UTC
I must admit I'm not too familiar with apt usage on Fedora, so I'm not sure if Fedora apt repo files are signed already, so whether this may be an issue. Axel, Panu, you're more likely to know whether we need fixing this. Feel free to close this bug if we do not need to care about this. (In reply to comment #1) > so I'm not sure if Fedora apt repo files are signed already Fedora repos are repomd, I think the bug report/CVE refers to what in the rpm-world we would call legacy apt repos. AFAIK they are still valid, but probably no Fedora repo maintainer uses them anymore. Anyway I'll pass to Panu, maybe the code in question has been copied over to other places for verifying rpm-related signatures and this could help fixing these. Is this at all an issue for us? It has been almost a year since the last comment, and I suspect that with apt-rpm supporting repomd for such a long time that there should be no "legacy" apt repositories in use. But has this been corrected in upstream apt-rpm or not? I'd like to close this bug if it is not an issue in current Fedora releases. Thanks. Uhm, just stumbled on this fossilized insect... Apt-rpm has been dead and unmaintained upstream for several years and I've blissfully forgotten most everything about it. Apt-rpm does not support repository signature check on repomd repos so it cannot very well suffer from incorrect gpg exit status when doing so, whether the "apt native" repositories are affected and I dont know/remember. Reassigning to new Fedora maintainer. I recommended letting it die in Fedora (due to the upstream situation), but if somebody really wants to burn their extra cycles maintaining the beast its none of my business really. |