Bug 497057 (CVE-2009-1358) - CVE-2009-1358 apt: incorrect gpg exit status checking when verifying repository signature
Summary: CVE-2009-1358 apt: incorrect gpg exit status checking when verifying reposito...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2009-1358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dridi Boukelmoune
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-22 08:09 UTC by Tomas Hoger
Modified: 2020-01-08 11:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-26 08:01:19 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2009-04-22 08:09:07 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1358 to the following vulnerability:

apt-get in apt before 0.7.21 does not check for the correct error code
from gpgv, which causes apt to treat a repository as valid even when
it has been signed with a key that has been revoked or expired, which
might allow remote attackers to trick apt into installing malicious
repositories. 

References:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/356012

Comment 1 Tomas Hoger 2009-04-22 08:13:41 UTC
I must admit I'm not too familiar with apt usage on Fedora, so I'm not sure if Fedora apt repo files are signed already, so whether this may be an issue.  Axel, Panu, you're more likely to know whether we need fixing this.  Feel free to close this bug if we do not need to care about this.

Comment 2 Axel Thimm 2009-04-22 10:56:35 UTC
(In reply to comment #1)
> so I'm not sure if Fedora apt repo files are signed already

Fedora repos are repomd, I think the bug report/CVE refers to what in the rpm-world we would call legacy apt repos. AFAIK they are still valid, but probably no Fedora repo maintainer uses them anymore.

Anyway I'll pass to Panu, maybe the code in question has been copied over to other places for verifying rpm-related signatures and this could help fixing these.

Comment 3 Vincent Danen 2010-04-09 21:19:31 UTC
Is this at all an issue for us?  It has been almost a year since the last comment, and I suspect that with apt-rpm supporting repomd for such a long time that there should be no "legacy" apt repositories in use.  But has this been corrected in upstream apt-rpm or not?

I'd like to close this bug if it is not an issue in current Fedora releases.  Thanks.

Comment 4 Panu Matilainen 2015-08-10 09:46:22 UTC
Uhm, just stumbled on this fossilized insect...

Apt-rpm has been dead and unmaintained upstream for several years and I've blissfully forgotten most everything about it. Apt-rpm does not support repository signature check on repomd repos so it cannot very well suffer from incorrect gpg exit status when doing so, whether the "apt native" repositories are affected and I dont know/remember.

Reassigning to new Fedora maintainer. I recommended letting it die in Fedora  (due to the upstream situation), but if somebody really wants to burn their extra cycles maintaining the beast its none of my business really.


Note You need to log in before you can comment on or make changes to this bug.