CVE-2012-0954

2012-06-1500:00:00

ubuntu.com

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.0%

JSON

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key
net-update to import keyrings, relies on GnuPG argument order and does not
check GPG subkeys, which might allow remote attackers to install altered
packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2012-3587.

Bugs

Notes

Author	Note
jdstrand	exploit in the wild
sbeattie	Ubuntu specific, net-update not enabled in debian.

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchapt< 0.7.9ubuntu17.6UNKNOWN
ubuntu10.04noarchapt< 0.7.25.3ubuntu9.13UNKNOWN
ubuntu11.04noarchapt< 0.8.13.2ubuntu4.6UNKNOWN
ubuntu11.10noarchapt< 0.8.16~exp5ubuntu13.5UNKNOWN
ubuntu12.04noarchapt< 0.8.16~exp12ubuntu10.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	apt	< 0.7.9ubuntu17.6	UNKNOWN
ubuntu	10.04	noarch	apt	< 0.7.25.3ubuntu9.13	UNKNOWN
ubuntu	11.04	noarch	apt	< 0.8.13.2ubuntu4.6	UNKNOWN
ubuntu	11.10	noarch	apt	< 0.8.16~exp5ubuntu13.5	UNKNOWN
ubuntu	12.04	noarch	apt	< 0.8.16~exp12ubuntu10.2	UNKNOWN