Vulnerability Details : CVE-2012-0954
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
Vulnerability category: Input validation
Products affected by CVE-2012-0954
- cpe:2.3:a:debian:advanced_package_tool:0.7.20:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.21:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.19:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.16:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.15:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.18:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.17:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.15:exp2:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.15:exp1:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.14:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.15:exp3:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp2:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp1:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.2-0.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp4:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp3:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.13:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.0:pre2:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.0:pre1:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.24:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.23:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.22.2:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15.8:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15.7:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15.6:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15:exp3:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.22.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15.10:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15:exp1:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.13:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.7.22:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15.9:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15:exp2:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:debian:advanced_package_tool:0.8.11.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-0954
0.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-0954
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:P/A:N |
4.9
|
2.9
|
NIST |
CWE ids for CVE-2012-0954
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0954
-
http://seclists.org/fulldisclosure/2012/Jun/289
Full Disclosure: ubuntu apt-key (part 3)
-
http://www.ubuntu.com/usn/USN-1475-1
USN-1475-1: APT update | Ubuntu security notices
-
http://www.securityfocus.com/bid/54046
Ubuntu Linux APT CVE-2012-0954 Security Bypass Vulnerability
-
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
Bug #1013128 “gpg key shadowing” : Bugs : apt package : Ubuntu
-
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681
Bug #1013681 “make apt-key net-update secure” : Bugs : apt package : Ubuntu
-
http://www.ubuntu.com/usn/USN-1477-1
USN-1477-1: APT vulnerability | Ubuntu security notices
-
http://seclists.org/fulldisclosure/2012/Jun/267
Full Disclosure: Strange gpg key shadowing
-
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639
Bug #1013639 “net-update verifcation checking is still insecure ...” : Bugs : apt package : Ubuntu
-
http://seclists.org/fulldisclosure/2012/Jun/271
Full Disclosure: Using second gpg keyring may be misleading?
Jump to