Since it's the signature (not a key), this is only vulnerable to freeze/rewind attacks. i.e. Only matching file/signature pairs can be replaced on the wire. It's not possible to replace the contents arbitrarily.
** Description changed: Binary package hint: update-manager-core I think update-manager has a security problem: # grep URI /etc/update-manager/meta-release | head -2 URI = http://changelogs.ubuntu.com/meta-release URI_LTS = http://changelogs.ubuntu.com/meta-release-lts Changelogs are checked over the url: http://changelogs.ubuntu.com/meta- release where you will find something like this: Dist: maverick [..] UpgradeTool: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz UpgradeToolSignature: http://archive.ubuntu.com/ubuntu/dists/maverick-updates/main/dist-upgrader-all/current/maverick.tar.gz.gpg Presumably, the UpgradeToolSignature is used to verify the UpgradeTool. So update-manager does two things: - * Gets a key that verifies a file. + * Gets a signature that verifies a file. * Get a file. - * Checks the key verifies the file. + * Checks the signature verifies the file. - But because this is happening over http without ssl, the key or the file - or both can be replaced. + But because this is happening over http without ssl, the signature or + the file or both can be replaced. ** Changed in: update-manager-core (Ubuntu) Importance: Undecided => Wishlist ** Changed in: update-manager-core (Ubuntu) Status: New => Confirmed ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/701378 Title: update-manager seems to insecurely check if a file is valid -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
