CVE-2012-3587

APT 0.7.x < 0.7.25 and 0.8.x < 0.8.16 - Unauthenticated Trojan Package Installation via MITM Keyring Update

Title source: llm
STIX 2.1

Description

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack.

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Jun/267
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1477-1
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1475-1

Scores

EPSS 0.0170
EPSS Percentile 74.6%

Details

CWE
CWE-20
Status published
Products (41)
debian/advanced_package_tool 0.7.0
debian/advanced_package_tool 0.7.1
debian/advanced_package_tool 0.7.2
debian/advanced_package_tool 0.7.2-0.1
debian/advanced_package_tool 0.7.10
debian/advanced_package_tool 0.7.11
debian/advanced_package_tool 0.7.12
debian/advanced_package_tool 0.7.13
debian/advanced_package_tool 0.7.14
debian/advanced_package_tool 0.7.15 (4 CPE variants)
... and 31 more
Published Jun 19, 2012
Tracked Since Feb 18, 2026