GnuPG Argument Order Vulnerability in APT Package Management System
CVE-2012-0954

Currently unrated

Key Information:

Vendor: Debian
Status: Advanced Package Tool
Vendor: CVE Published:; 19 June 2012

Summary

This vulnerability in the APT package management system occurs when using the 'apt-key net-update' feature to import keyrings. It arises from a reliance on the order of GnuPG arguments and a failure to properly verify GPG subkeys. This oversight potentially allows remote attackers to perform man-in-the-middle (MITM) attacks, enabling them to install maliciously altered packages. Users must ensure they use updated versions of APT to protect against this risk.

References

http://seclists.org/fulldisclosure/2012/Jun/271

mailing-listx_refsource_FULLDISC

http://www.securityfocus.com/bid/54046

vdb-entryx_refsource_BID

http://seclists.org/fulldisclosure/2012/Jun/267

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jun 19, 2012