Vulnerability Description
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Advanced Package Tool | 0.7.0 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2012/Jun/267
- http://www.ubuntu.com/usn/USN-1475-1
- http://www.ubuntu.com/usn/USN-1477-1
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
- http://seclists.org/fulldisclosure/2012/Jun/267
- http://www.ubuntu.com/usn/USN-1475-1
- http://www.ubuntu.com/usn/USN-1477-1
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
FAQ
What is CVE-2012-3587?
CVE-2012-3587 is a vulnerability with a CVSS score of 2.6 (LOW). APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers...
How severe is CVE-2012-3587?
CVE-2012-3587 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-3587?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Advanced Package Tool.