Ubuntu/Debian installation method allows key poisoning and code execution for network attacker

Post Reply
Shane1145
Posts: 1689
Joined: Wed Sep 25, 2024 2:31 pm

Ubuntu/Debian installation method allows key poisoning and code execution for network attacker

Post by Shane1145 »

The MariaDB installation instructions for apt-based distributions (Debian/Ubuntu) look like this:
keyserver.ubuntu.com is part of the SKS keyserver network and gets synced with other keyservers.
Recently there have been attacks "poisoning" PGP keys on the keyservers. The principle is actually extremely simple: The keyservers operate on an "append only" principle, and everyone can add new signatures to an existing key. So one can make a key practically unusable by adding lots of signatures.

https://hackerone.com/reports/639473
Post Reply