CVE-2012-0954

APT 0.7.x < 0.7.25 and 0.8.x < 0.8.16 - Man-in-the-Middle Package Alteration via GPG Subkey Bypass

Title source: manual
STIX 2.1

Description

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.

References (9)

Core 9
Core References
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/271
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/54046
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/267
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1477-1
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1475-1
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/289

Scores

EPSS 0.0221
EPSS Percentile 80.5%

Details

CWE
CWE-20
Status published
Products (41)
debian/advanced_package_tool 0.7.0
debian/advanced_package_tool 0.7.1
debian/advanced_package_tool 0.7.2
debian/advanced_package_tool 0.7.2-0.1
debian/advanced_package_tool 0.7.10
debian/advanced_package_tool 0.7.11
debian/advanced_package_tool 0.7.12
debian/advanced_package_tool 0.7.13
debian/advanced_package_tool 0.7.14
debian/advanced_package_tool 0.7.15 (4 CPE variants)
... and 31 more
Published Jun 19, 2012
Tracked Since Feb 18, 2026