Kubuntu Gutsy is affected, yes. Easiest way to reproduce the bug is to
delete the Ubuntu repository key and try to install any package. Whereas
Synaptic warns about a missing signature with big bold letters, adept
quietly disregards the missing signature. This is a grave bug with
security implications. There are quite a few scenarios where a user
would end up with a malicious package on his/her system:
1) DNS spoofing. The attacker simply spoofs a dns request and
archive.ubuntu.com will resolve to ${IP_OF_ATTACKER}, where a pool of
crafted packages including a rootkit are. The signature breaks, since
the attacker does not possess the archive signing key, but adept ignores
it anyway.
2) Mirror cracked. Some mirror gets cracked and the attacker uploads
some rootkit to the package pool. Signature breaks, adept quietly
ignores and happily installs away.
There are some more scenarios I could think of, but in most cases the
signature is there to repel such attacks.
Question: As adept disregards Release.gpg, does it check the MD5 sums in
the file Release or Packages{.gz|.bz} ? If not, we may even observe
system corruption by incomplete package downloads.
On a side note: Does anyone know if Debian is affected?
Kind regards,
Lee Garrett
--
adept manager does not check the signature of the repository
https://bugs.launchpad.net/bugs/162053
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
