Bug 497057 (CVE-2009-1358)

Summary: CVE-2009-1358 apt: incorrect gpg exit status checking when verifying repository signature
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Dridi Boukelmoune <dridi.boukelmoune>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: axel.thimm, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1358
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-26 08:01:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tomas Hoger 2009-04-22 08:09:07 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1358 to the following vulnerability:

apt-get in apt before 0.7.21 does not check for the correct error code
from gpgv, which causes apt to treat a repository as valid even when
it has been signed with a key that has been revoked or expired, which
might allow remote attackers to trick apt into installing malicious
repositories. 

References:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/356012

Comment 1 Tomas Hoger 2009-04-22 08:13:41 UTC
I must admit I'm not too familiar with apt usage on Fedora, so I'm not sure if Fedora apt repo files are signed already, so whether this may be an issue.  Axel, Panu, you're more likely to know whether we need fixing this.  Feel free to close this bug if we do not need to care about this.

Comment 2 Axel Thimm 2009-04-22 10:56:35 UTC
(In reply to comment #1)
> so I'm not sure if Fedora apt repo files are signed already

Fedora repos are repomd, I think the bug report/CVE refers to what in the rpm-world we would call legacy apt repos. AFAIK they are still valid, but probably no Fedora repo maintainer uses them anymore.

Anyway I'll pass to Panu, maybe the code in question has been copied over to other places for verifying rpm-related signatures and this could help fixing these.

Comment 3 Vincent Danen 2010-04-09 21:19:31 UTC
Is this at all an issue for us?  It has been almost a year since the last comment, and I suspect that with apt-rpm supporting repomd for such a long time that there should be no "legacy" apt repositories in use.  But has this been corrected in upstream apt-rpm or not?

I'd like to close this bug if it is not an issue in current Fedora releases.  Thanks.

Comment 4 Panu Matilainen 2015-08-10 09:46:22 UTC
Uhm, just stumbled on this fossilized insect...

Apt-rpm has been dead and unmaintained upstream for several years and I've blissfully forgotten most everything about it. Apt-rpm does not support repository signature check on repomd repos so it cannot very well suffer from incorrect gpg exit status when doing so, whether the "apt native" repositories are affected and I dont know/remember.

Reassigning to new Fedora maintainer. I recommended letting it die in Fedora  (due to the upstream situation), but if somebody really wants to burn their extra cycles maintaining the beast its none of my business really.