[Bug 1812353] Re: content injection in http method (CVE-2019-3462)

[Christoph Anton Mitterer]

Or is there anything going to happen wrt to https/TLS?

I, personally, are not convinced of doing this...

In this specific case, and rogue mirror could have still exploited the
hole, and I'd assume there is nothing done to check the trustworthiness
of mirror operators (there's no real way to do so).

Also, the X.509 trust model is inherently broken. 150 root CAs alone in
the mozilla bundle (many of them which cannot be trusted per se by any
sane person) and even more sub CAs... all of which can issue literally
any certificate.

Using TLS would IMO only help (a tiny bit) if Debian (respectively the
derivates) would operate their own CA (and only accept that for services
they offer, like mirrors, BTS, gitlab, etc.).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1812353

Title:
  content injection in http method (CVE-2019-3462)

Status in apt package in Ubuntu:
  Fix Released
Status in apt source package in Precise:
  Fix Released
Status in apt source package in Trusty:
  Fix Released
Status in apt source package in Xenial:
  Fix Released
Status in apt source package in Bionic:
  Fix Released
Status in apt source package in Cosmic:
  Fix Released
Status in apt source package in Disco:
  Fix Released

Bug description:
  apt, starting with version 0.8.15, decodes target URLs of redirects,
  but does not check them for newlines, allowing MiTM attackers (or
  repository mirrors) to inject arbitrary headers into the result
  returned to the main process.

  If the URL embeds hashes of the supposed file, it can thus be used to
  disable any validation of the downloaded file, as the fake hashes will
  be prepended in front of the right hashes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions