Launchpad CVE tracker

CVE 2012-0954

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.

Related bugs and status

CVE-2012-0954 (Candidate) is related to these bugs:

Bug #1013639: net-update verifcation checking is still insecure (aka gpg key shadowing, again)

		In	Importance	Status
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu)	Critical	Fix Released
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu Precise)	Critical	Fix Released
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu Lucid)	Critical	Fix Released
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu Quantal)	Critical	Fix Released
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu Natty)	Critical	Fix Released
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu Hardy)	Critical	Fix Released
1013639	net-update verifcation checking is still insecure (aka gpg key shadowing, again)	apt (Ubuntu Oneiric)	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2012-0954

References