The code for add-apt-repository is in ppa.py from the software-
properties package not the apt package.
** No longer affects: software-properties (Ubuntu Hardy)
** No longer affects: apt (Ubuntu)
** No longer affects: apt (Ubuntu Hardy)
** No longer affects: apt (Ubuntu Precise)
** No longer a
lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".
** Changed in: apt (Ubuntu Lucid)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
** Changed in: apt (Ubuntu Quantal)
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To m
** Changed in: apt (Ubuntu Oneiric)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To
** Branch linked: lp:debian/python-apt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications about this bu
** Tags added: rls-q-notfixing
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications about this bug go to:
Michael, given that software-properties has been SRUed, is there
actually anything further that needs changed in apt?
** Changed in: apt (Ubuntu Quantal)
Assignee: (unassigned) => Michael Vogt (mvo)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subs
** Branch linked: lp:ubuntu/python-apt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications about this bu
** Branch linked: lp:ubuntu/software-properties
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications abou
This bug was fixed in the package software-properties - 0.92.8
---
software-properties (0.92.8) quantal; urgency=low
* lp:~mvo/software-properties/recv-key-lp1016643:
- ensure fingerprint check after recv-key (LP: #1016643)
-- Michael VogtMon, 01 Oct 2012 19:33:35 +0200
**
** Branch linked: lp:ubuntu/lucid-updates/software-properties
** Branch linked: lp:ubuntu/oneiric-updates/software-properties
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-re
** Branch linked: lp:ubuntu/natty-security/software-properties
** Branch linked: lp:ubuntu/oneiric-security/software-properties
** Branch linked: lp:ubuntu/precise-security/software-properties
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
This bug was fixed in the package software-properties - 0.81.13.5
---
software-properties (0.81.13.5) oneiric-security; urgency=low
* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
(LP: #1016643)
- softwareproperties/ppa.py: download gpg key to temporary
This bug was fixed in the package software-properties - 0.80.9.2
---
software-properties (0.80.9.2) natty-security; urgency=low
* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
(LP: #1016643)
- softwareproperties/ppa.py: download gpg key to temporary keyr
This bug was fixed in the package software-properties - 0.75.10.3
---
software-properties (0.75.10.3) lucid-security; urgency=low
* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
(LP: #1016643)
- softwareproperties/ppa.py: download gpg key to temporary ke
This bug was fixed in the package software-properties - 0.82.7.3
---
software-properties (0.82.7.3) precise-security; urgency=low
* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
(LP: #1016643)
- softwareproperties/ppa.py: download gpg key to temporary ke
I pushed branches based on the lp:~mvo/software-properties/recv-key-
lp1016643-precise for lucid,natty,oneiric now too and updated the branch
in quantal to have better tests.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs
** Changed in: software-properties (Ubuntu Hardy)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure
** Changed in: software-properties (Ubuntu Quantal)
Status: Invalid => Confirmed
** Changed in: software-properties (Ubuntu Precise)
Status: Invalid => Confirmed
** Changed in: software-properties (Ubuntu Oneiric)
Status: Invalid => Confirmed
** Changed in: software-properti
** Branch linked: lp:~mvo/software-properties/recv-key-lp1016643-precise
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To
I'm glad to see you rejecting the short keyid.
If you're doing this work to make the apt-key fetching possibilities
cryptographically sound, please rely only on full OpenPGPv4
fingerprints, not on the long keyid. And ensure that the received key
is an OpenPGP v4 key, since v3 fingerprints are the
I looked into g10/keyserver.c a bit and had hoped that
import_keys_stream() there could be used to test if the fingerprints
match the expected fingerprints, but it seems that the fpr/fpr_len
arguments will only set to the fingerprint of the last key imported. So
I need to check something else, mayb
I added a branch for software-propoerties and its ppa.py helper at
lp:~mvo/software-properties/recv-key-lp1016643
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository down
@Daniel Leidert: Thanks for this suggestion, I added issue #1444
(https://bugs.g10code.com/gnupg/msg4421) upstream asking for a mode for
--recv-key that verifies that the downloaded key matches the expected
key.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
For the workaround in apt-key I did a proof of concept here: lp:~mvo/apt
/apt-key-recv-lp1016643 that shows what I have in mind. It has the added
benefit that it will no longer support short keyids for --recv.
The basic idea is that if adv with --recv{,-keys} is given it wil
intercept and download
Using the gnupg maintainer hat: Please discuss your proposed changes to
gnupg(2) with its upstream.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key
Looking into this a bit I think we have various options:
- switch to hpks by default in apt-key for the keyserver requests in apt-key
and refuse to do hpk
- change gnupg to reject if a downloaded key is of a different keyid than the
requested key [1]
- add code to apt-key to check/fixup the comma
We can't really use the traditional web of trust. I trust some Launchpad
PPAs, but not others, so I can't just trust any key that Launchpad has
signed. The only thing add-apt-repository could do is use a local key to
automatically sign when someone requests that a new repository be added,
which isn
** Changed in: apt (Ubuntu Quantal)
Importance: Undecided => High
** Changed in: apt (Ubuntu Quantal)
Status: Confirmed => Triaged
** Changed in: apt (Ubuntu Precise)
Importance: Undecided => High
** Changed in: apt (Ubuntu Precise)
Status: Confirmed => Triaged
--
You recei
dkg0: you're right, thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications about this bug go to:
ht
zooko, i'm pretty sure you want your comment 6 (above) to follow up on
https://launchpad.net/bugs/815480 , not on this bug report.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-ap
By the way, this patch replaced a regexp with json.loads():
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/software-
properties/quantal/revision/77
That was good, because a regexp could have been vulnerable to some sort
of xss/injection sort of problem. But, the patch mistakenly left
Ah yes, apt-key still needs a fix to validate the downloaded key.
Reopening.
I wish we could actually validate the web of trust on PPA keys instead
of solely relying on key ids though.
** Also affects: apt (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apt (Ubuntu Hardy)
I don't think this bug is fixed. it looks to me like the keyserver
operator (or anyone who can MITM the keyserver) can still inject
arbitrary keys here.
/usr/share/pyshared/softwareproperties/ppa.py appears to run "apt-key
adv --keyserver $whatever --recv $fingerprint"
and "apt-key adv" is just
http://www.ubuntu.com/usn/usn-1570-1/
** Changed in: gnupg2 (Ubuntu Hardy)
Status: New => Fix Released
** Changed in: gnupg2 (Ubuntu Lucid)
Status: New => Fix Released
** Changed in: gnupg2 (Ubuntu Natty)
Status: New => Fix Released
** Changed in: gnupg2 (Ubuntu Oneiric)
** Visibility changed to: Public
** Also affects: gnupg2 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: software-properties (Ubuntu)
Status: Triaged => Invalid
** Also affects: gnupg (Ubuntu Hardy)
Importance: Undecided
Status: New
** Also affects: gnupg2 (
36 matches
Mail list logo
