Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1358 to the following vulnerability:
apt-get in apt before 0.7.21 does not check for the correct error code
from gpgv, which causes apt to treat a repository as valid even when
it has been signed with a key that has been revoked or expired, which
might allow remote attackers to trick apt into installing malicious
I must admit I'm not too familiar with apt usage on Fedora, so I'm not sure if Fedora apt repo files are signed already, so whether this may be an issue. Axel, Panu, you're more likely to know whether we need fixing this. Feel free to close this bug if we do not need to care about this.
(In reply to comment #1)
> so I'm not sure if Fedora apt repo files are signed already
Fedora repos are repomd, I think the bug report/CVE refers to what in the rpm-world we would call legacy apt repos. AFAIK they are still valid, but probably no Fedora repo maintainer uses them anymore.
Anyway I'll pass to Panu, maybe the code in question has been copied over to other places for verifying rpm-related signatures and this could help fixing these.
Is this at all an issue for us? It has been almost a year since the last comment, and I suspect that with apt-rpm supporting repomd for such a long time that there should be no "legacy" apt repositories in use. But has this been corrected in upstream apt-rpm or not?
I'd like to close this bug if it is not an issue in current Fedora releases. Thanks.
Uhm, just stumbled on this fossilized insect...
Apt-rpm has been dead and unmaintained upstream for several years and I've blissfully forgotten most everything about it. Apt-rpm does not support repository signature check on repomd repos so it cannot very well suffer from incorrect gpg exit status when doing so, whether the "apt native" repositories are affected and I dont know/remember.
Reassigning to new Fedora maintainer. I recommended letting it die in Fedora (due to the upstream situation), but if somebody really wants to burn their extra cycles maintaining the beast its none of my business really.