Hello Colin, thanks for your comment on this.
I'm not sure I quite follow the comment, the code is meant to check the
following:
for every key we got from the network, check if the same keyid is also in the
master-keyring
if that is the case -> abort as this clearly indicates that something fishy
is going on
AFAICS this closes the attack vector described in the full-disclosure list as
the attacker will not be
able to "shadow" our master-key-id anymore with the key id duplication.
For am I missing something and/or made a mistake in the code so that I
actually check for the wrong thing?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
