CVE-2012-3587
APT 0.7.x < 0.7.25 and 0.8.x < 0.8.16 - Unauthenticated Trojan Package Installation via MITM Keyring Update
Title source: llmDescription
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack.
References (4)
Core 4
Core References
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/267
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1477-1
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1475-1
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
Scores
EPSS
0.0170
EPSS Percentile
74.6%
Details
CWE
CWE-20
Status
published
Products (41)
debian/advanced_package_tool
0.7.0
debian/advanced_package_tool
0.7.1
debian/advanced_package_tool
0.7.2
debian/advanced_package_tool
0.7.2-0.1
debian/advanced_package_tool
0.7.10
debian/advanced_package_tool
0.7.11
debian/advanced_package_tool
0.7.12
debian/advanced_package_tool
0.7.13
debian/advanced_package_tool
0.7.14
debian/advanced_package_tool
0.7.15 (4 CPE variants)
... and 31 more
Published
Jun 19, 2012
Tracked Since
Feb 18, 2026