• »
  • Latest Threats
  • Desktop
  • Server
  • high Severity (Can partially compromise system)

APT flaws allow remote attackers to execute arbitrary code via crafted package and more

high Severity            Affects:
APT before 1.0.9

APT is a command line package management tool which understands collections or "repositories" and is able to find the packages needed to satisfy inter-package dependencies.

It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490).


CVE-2014-0490

The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.


CVE-2014-0489

APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.


CVE-2014-0488

APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.


CVE-2014-0487

APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.


RECOMMENDATION

Ubuntu Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS: 

apt ->  https://launchpad.net/ubuntu/+source/apt

1.0.1ubuntu2.3 ->  https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.3

Ubuntu 12.04 LTS:

apt -> https://launchpad.net/ubuntu/+source/apt

0.8.16~exp12ubuntu10.19 ->  https://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.19

Ubuntu 10.04 LTS:

apt -> https://launchpad.net/ubuntu/+source/apt

0.7.25.3ubuntu9.16 ->  https://launchpad.net/ubuntu/+source/apt/0.7.25.3ubuntu9.16

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.


Debian Update Instructions

For the stable distribution (wheezy), these problems have been fixed in version 0.9.7.9+deb7u3.

For the unstable distribution (sid), these problems have been fixed in version 1.0.9.