From 7e6201fc0304bc1122bdef5884b741c42d097998 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Tue, 27 Sep 2011 09:41:18 +0200
Subject: fix apt-key net-update by erroring out if there are any duplicated
 keys in master-keyring and add-keyring (see lp #857472) and add regression
 test

---
 cmdline/apt-key | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'cmdline')

diff --git a/cmdline/apt-key b/cmdline/apt-key
index 4d2b7c49f..8a3f5ba54 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -50,6 +50,17 @@ add_keys_with_verify_against_master_keyring() {
     #   from a key in the $distro-master-keyring
     add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
     master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+    # verify to ensure that there are no key id duplications that may be
+    # used to attack the system, see LP: #857472
+    for add_key in $add_keys; do
+	for master_key in $master_keys; do
+            if [ "$add_key" = "$master_key" ]; then
+                echo >&2 "Keyid collision for '$add_key' detected, operation aborted"
+                return 1
+            fi
+        done
+    done
+    # add all keys signed with any of the master key(s)
     for add_key in $add_keys; do
 	ADDED=0
 	for master_key in $master_keys; do
-- 
cgit v1.2.3