APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0037.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Debian
  • Advanced Package Tool

Configuration 1 [-]

OR cpe:2.3:a:debian:advanced_package_tool:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.2:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.2-0.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.10:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.11:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.12:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.13:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.14:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.15:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.15:exp1:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.15:exp2:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.15:exp3:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.16:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.17:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp1:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp2:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp3:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.17:exp4:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.18:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.19:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.20:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.20.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.20.2:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.21:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.22:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.22.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.22.2:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.23:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.23.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.7.24:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.0:pre1:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.0:pre2:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.10:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.10.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.10.2:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.10.3:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.11:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.11.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.11.2:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.11.3:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.11.4:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.11.5:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.12:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.13:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.13.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.13.2:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.14:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.14.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15:exp1:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15:exp2:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15:exp3:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15.1:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15.6:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15.7:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15.8:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15.9:*:*:*:*:*:*:*
cpe:2.3:a:debian:advanced_package_tool:0.8.15.10:*:*:*:*:*:*:*

No data.

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2012-0977 APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
Ubuntu USN Ubuntu USN USN-1477-1 APT vulnerability
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://seclists.org/fulldisclosure/2012/Jun/267 cve-icon cve-icon
http://seclists.org/fulldisclosure/2012/Jun/271 cve-icon cve-icon
http://seclists.org/fulldisclosure/2012/Jun/289 cve-icon cve-icon
http://www.securityfocus.com/bid/54046 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1475-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1477-1 cve-icon cve-icon
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 cve-icon cve-icon
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639 cve-icon cve-icon
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2024-09-16T20:13:26.664Z

Reserved: 2012-02-01T00:00:00Z

Link: CVE-2012-0954

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2012-06-19T20:55:05.380

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-0954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.