CVE-2012-0954
APT 0.7.x < 0.7.25 and 0.8.x < 0.8.16 - Man-in-the-Middle Package Alteration via GPG Subkey Bypass
Title source: manualDescription
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
References (9)
Core 9
Core References
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/271
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/54046
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/267
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1477-1
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1475-1
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/289
Scores
EPSS
0.0221
EPSS Percentile
80.5%
Details
CWE
CWE-20
Status
published
Products (41)
debian/advanced_package_tool
0.7.0
debian/advanced_package_tool
0.7.1
debian/advanced_package_tool
0.7.2
debian/advanced_package_tool
0.7.2-0.1
debian/advanced_package_tool
0.7.10
debian/advanced_package_tool
0.7.11
debian/advanced_package_tool
0.7.12
debian/advanced_package_tool
0.7.13
debian/advanced_package_tool
0.7.14
debian/advanced_package_tool
0.7.15 (4 CPE variants)
... and 31 more
Published
Jun 19, 2012
Tracked Since
Feb 18, 2026