From 33e4d8b32a0baef91342527cce16cd47bcb1ee60 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Thu, 14 Jun 2012 16:18:20 +0200
Subject: [PATCH] add extra paranoia against subkey attacks (and a regression
 test), LP: #1013128, thanks to jdstrand and mdeslaur and Geori Guinski

---
 cmdline/apt-key                               |  14 +++++++-----
 .../exploid-keyring-with-dupe-subkeys.pub     | Bin 0 -> 2016 bytes
 test/integration/test-apt-key-net-update      |  21 ++++++++++++++++++
 3 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 test/integration/exploid-keyring-with-dupe-subkeys.pub

diff --git a/cmdline/apt-key b/cmdline/apt-key
index dda3c1b43..6e85b7353 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -50,18 +50,20 @@ add_keys_with_verify_against_master_keyring() {
     #   all keys that are exported must have a valid signature
     #   from a key in the $distro-master-keyring
     add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+    all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
     master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
-    
-    for add_key in $add_keys; do
 
-        # ensure there are no colisions LP: #857472
+    # ensure there are no colisions LP: #857472
+    for all_add_key in $all_add_keys; do
 	for master_key in $master_keys; do
-            if [ "$add_key" = "$master_key" ]; then
-                echo >&2 "Keyid collision for '$add_key' detected, operation aborted"
+            if [ "$all_add_key" = "$master_key" ]; then
+                echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
                 return 1
             fi
         done
-
+    done
+    
+    for add_key in $add_keys; do
         # export the add keyring one-by-one
         rm -f $TMP_KEYRING
         $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key 
diff --git a/test/integration/exploid-keyring-with-dupe-subkeys.pub b/test/integration/exploid-keyring-with-dupe-subkeys.pub
new file mode 100644
index 0000000000000000000000000000000000000000..02d4e6ee8f6d5bf2af4f7bc37bcbe6b522bbe8de
GIT binary patch
literal 2016
zcmY+Ei9ZvJ1IBlnvk99J5th;6zH@|BdmR(aM1))`YB?j!5pxz1wY|vP<S4IWl2q2R
zY$TJAOywwMZ#gQw^?pA6-hThV^Ld`<`z^|bIF0_v0zv?<BjvpFE6t%!wRp^;fbrR|
z(fshxJM_uI?sdZ|vW~+7cuKsim_?EpYcdSGj2qdpnyPZWQ#_IqgFWpYW+BRvOMgDm
z{aQLp#q;lgn9z|qR3iqtz7i1H;?>K+oKu~?5+7Dgf{Cx=ik7*=zLH_vz$f2{Mw@g3
z=@S%ZTn5+<1OV?z21NJ~^mLRp0?^9l0agJP>Fp3{APBG<3i_E7qyQEY6A^}iK|%;&
zkcg-l1PKBIK}tZ7Y$8BZL=xYxb|{i&4L7WY04icMFo9~+hjoFxNfS;U&%#-&S!+pQ
z<<?|n`I&D;-rM*L>;PQoMelf-&V{?GnJ1Jqv1AHV{!YPk;wM9X_V@U0U9t1pRP-vf
zuZHw3V|5+sx+#Em##nwn1iMuUgYSrGaF4&5sw%EjXRzmxs!D_l&u6kPy3YRLoGKdj
zg$&#Wk^B)|=x6lC#h>xSzNI8s?m2MMLspmsJYaOt2K;iH?$eaGyUnZEy!5@8vFi0m
z8ETS*l=s2RUJu-Zp>X*8K2hNUA4F8Fm3YV}kvAbs&g@^)`&fCRVra*;(z*|BL?j`D
zskE_hU+MXLZyM>+v(ZZZR~1ZiTCfDE$~#KY&SUlk&gSFVOs-%%A&O&?I%g;_7h11t
z9WS;2@Sw`StK`uY%HGK0gAG+<4Mqmp{%8A5gCmHwGD!!I>Q^MjtrwD!TQx<qolVM@
zV0x{~8cf}zD-N~`)#KfvBPRefSMwv+48%~KfyB4gfsc(xsq<sp?54>orY(bT3)^aa
z8xq|iC$>4Ao1C&s;l??}Otd;8C8T7~k9!XX92iy6BT$!-3j?pJ|F5q$_V0aZB?zYo
z+h#_?QAY-2-3CV`({_!E4o~=5TxIhEXF=eG{i!?Xdg4$k=5t%|#iG#d?_SE;lh-2L
zIz-Nx75KbS3J>tqa@Hw`imzo@#%-y}FPU(iHmwmYOFR4ZrR1M-uTxqIJaWJK0dz`h
z-%IlcU?Q*%<%z;eHXc$n97X)2lL=1N>TNQLtwB#tt6Xl@C2|nGG)I~i6_rMRV^kcS
z5}fPXYjZ^wk%46!7%|}1Ivk@vEH^xWLUZ!nf;q3?EEt-(r|nENam+IQW^w`M?KR``
z4Tuo#<71oCVs?f$<$epORY*N}P0{Iw6=zO@5y6&LNYDJ{dY}I0gq2G%nslkBD7n%6
zZOmN~+Q2ppeudcnKXeDVi{p+bm=^4A%VZ?ZxuH47FzMr$uz9wugS2iB`<QH9+be$@
zs(+O>MHfA_b6+cM<7x{)y{%9K?192l33mP#v+~m36|M69lpT5T<>l9Jh*}ubKPDW|
z&fn^EruiEgAEvs!AUMzmc29usKqzAxM;c8o7Tvk6^zOoSU6p^)O)r7$`0;j;U!aQr
z&ZFHR1aO1uD9Y->&Ufrgt7I!#ob_eh)C?KRVl@sWuJN=Us6RS&c%%jX-G3KqnrYNk
z>JFTG9a$K=QTHU4QWg|j%j@ciDwE4|E{$Uzzezg%MRT05hvH5=GPRTF)IY%rRep^(
z8Lmx%L7!!e^i%-+^-9C;P1D`V6T|+dsa2%m#5;h>V5iZtNB{u%<4yKHmvUR6Z!r<C
z3Xp&Fgfuer0G`N%5Z+#wAe>HHYqn9JmlHbQp{mu(Y?TM1PG*UiiG2-U+-MRgKIxHa
zkN{8I{whr2ThHW{t-MR_WvOV>O4ma3p3F?OZ~1-xI8|(yp9W3c5X98!b!Ajo8Q`k=
zFvpus<`CB!`3rJIv8Mr_1)}5%WODYsHKbKgj;)x(W=lm*1i?JNzNSI`D}B(HqP>6J
zyWZkTmb<TKxQG^Y*TaR&t+bR>zTlb<ENd9I?D!=xsmaKUzmae+goh%%RCwxRTF{6P
zn{hp-C^;cwtr&EFB`k@_JD;<>xPVvNZS4BNiL4&zqNStgP3EAMUGTewe<|tT4aq?E
ze<PMff)qeN)BmK}6RHf6`z5p=J^m)N^jANGCVsBMu4NJwThBIB-+UO2m$c+`@FZD|
zfmwlESp&bwKbzIswG&$1zEaz>C5GH7d7jWv0A-Zn%+NO#%5Xp88;7Iw@n>pEGLw7<
zP3km1d3_qpihz~OT#Oqx4T_PEylWv3X~$&6|1}^JR4ju{1#3L_c?{xz{FnwLJG0PX
z0zEb5jfkqgQ<dvkK|`}xHcQ#?@6e^-)EqORSgFtI=MwimOz}EOKYF!t?MB|js&hVl
z=w<nbE^{(qTiH{Eb)gjmSToym_}1n$ysK^e*&ux?$VG*lNQfdl-rwzAg+%LXCvVG-
zZ^sZ|)`CvyeAV|vY3>mvwCY~18sdIa6^cS5anx<xU5O1^q6~)_g15Z13AUo}>`e`{
z8}BWJYYU*K%-*WMo|B0maC(mfbaU|J+zeM>T<e8yyzWxX9q@L0kKl{;x@V7D!Q&yY
z?qhvhn*F-N-v;=Ds%MhE*GM5`&WB&_7uv&09KkGLpEaQ*v=i3jHUexeFz;g%3cUhL
SxQ~d_46|@!mtD^e2>%1>f18E?

literal 0
HcmV?d00001

diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update
index 452766b4d..d5205836f 100755
--- a/test/integration/test-apt-key-net-update
+++ b/test/integration/test-apt-key-net-update
@@ -49,6 +49,26 @@ else
     msgpass
 fi
 
+
+# test another possible attack vector using subkeys (LP: #1013128)
+msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
+ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+    msgfail
+else
+    msgpass
+fi
+
+# ensure the keyring is still empty
+gpg_out=$($GPG --list-keys)
+msgtest "Test if keyring is empty"
+if [ -n "" ]; then
+    msgfail
+else
+    msgpass
+fi
+
+
 # test good keyring and ensure we get no errors
 ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
 if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
@@ -72,3 +92,4 @@ uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubun
 pub   4096R/EFE21092 2012-05-11
 uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
 ' $GPG --list-keys
+
-- 
2.50.0