CVE-2012-0954

Publication date 15 June 2012

Last updated 24 July 2024

Ubuntu priority

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
apt	12.04 LTS precise	Fixed 0.8.16~exp12ubuntu10.2
	11.10 oneiric	Fixed 0.8.16~exp5ubuntu13.5
	11.04 natty	Fixed 0.8.13.2ubuntu4.6
	10.04 LTS lucid	Fixed 0.7.25.3ubuntu9.13
	8.04 LTS hardy	Fixed 0.7.9ubuntu17.6

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

exploit in the wild

sbeattie

Ubuntu specific, net-update not enabled in debian.

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1477-1
APT vulnerability
15 June 2012

Other references

http://seclists.org/fulldisclosure/2012/Jun/267
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289
https://www.cve.org/CVERecord?id=CVE-2012-0954