CVE-2012-0954

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:N/I:P/A:N
canonicalCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
debianadvanced_package_tool
0.7.0
debianadvanced_package_tool
0.7.1
debianadvanced_package_tool
0.7.2
debianadvanced_package_tool
0.7.2-0.1
debianadvanced_package_tool
0.7.10
debianadvanced_package_tool
0.7.11
debianadvanced_package_tool
0.7.12
debianadvanced_package_tool
0.7.13
debianadvanced_package_tool
0.7.14
debianadvanced_package_tool
0.7.15
debianadvanced_package_tool
0.7.15:exp1
debianadvanced_package_tool
0.7.15:exp2
debianadvanced_package_tool
0.7.15:exp3
debianadvanced_package_tool
0.7.16
debianadvanced_package_tool
0.7.17
debianadvanced_package_tool
0.7.17:exp1
debianadvanced_package_tool
0.7.17:exp2
debianadvanced_package_tool
0.7.17:exp3
debianadvanced_package_tool
0.7.17:exp4
debianadvanced_package_tool
0.7.18
debianadvanced_package_tool
0.7.19
debianadvanced_package_tool
0.7.20
debianadvanced_package_tool
0.7.20.1
debianadvanced_package_tool
0.7.20.2
debianadvanced_package_tool
0.7.21
debianadvanced_package_tool
0.7.22
debianadvanced_package_tool
0.7.22.1
debianadvanced_package_tool
0.7.22.2
debianadvanced_package_tool
0.7.23
debianadvanced_package_tool
0.7.23.1
debianadvanced_package_tool
0.7.24
debianadvanced_package_tool
0.8.0
debianadvanced_package_tool
0.8.0:pre1
debianadvanced_package_tool
0.8.0:pre2
debianadvanced_package_tool
0.8.1
debianadvanced_package_tool
0.8.10
debianadvanced_package_tool
0.8.10.1
debianadvanced_package_tool
0.8.10.2
debianadvanced_package_tool
0.8.10.3
debianadvanced_package_tool
0.8.11
debianadvanced_package_tool
0.8.11.1
debianadvanced_package_tool
0.8.11.2
debianadvanced_package_tool
0.8.11.3
debianadvanced_package_tool
0.8.11.4
debianadvanced_package_tool
0.8.11.5
debianadvanced_package_tool
0.8.12
debianadvanced_package_tool
0.8.13
debianadvanced_package_tool
0.8.13.1
debianadvanced_package_tool
0.8.13.2
debianadvanced_package_tool
0.8.14
debianadvanced_package_tool
0.8.14.1
debianadvanced_package_tool
0.8.15
debianadvanced_package_tool
0.8.15:exp1
debianadvanced_package_tool
0.8.15:exp2
debianadvanced_package_tool
0.8.15:exp3
debianadvanced_package_tool
0.8.15.1
debianadvanced_package_tool
0.8.15.6
debianadvanced_package_tool
0.8.15.7
debianadvanced_package_tool
0.8.15.8
debianadvanced_package_tool
0.8.15.9
debianadvanced_package_tool
0.8.15.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apt
bullseye
2.2.4
fixed
bookworm
2.6.1
fixed
sid
2.9.10
fixed
trixie
2.9.10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apt
precise
Fixed 0.8.16~exp12ubuntu10.2
released
oneiric
Fixed 0.8.16~exp5ubuntu13.5
released
natty
Fixed 0.8.13.2ubuntu4.6
released
lucid
Fixed 0.7.25.3ubuntu9.13
released
hardy
Fixed 0.7.9ubuntu17.6
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2012/Jun/267
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289
http://www.securityfocus.com/bid/54046
http://www.ubuntu.com/usn/USN-1475-1
http://www.ubuntu.com/usn/USN-1477-1
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681
http://seclists.org/fulldisclosure/2012/Jun/267
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289
http://www.securityfocus.com/bid/54046
http://www.ubuntu.com/usn/USN-1475-1
http://www.ubuntu.com/usn/USN-1477-1
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681