A critical flaw in the way Ubuntu's apt package verifies valid signing keys has prompted an emergency work-around to be distributed while a more formal fix is put in place.
The update comes after security researcher Georgi Guninski publicised his findings, which affect all versions of the Ubuntu Linux distribution and their derivatives but not the upstream Debian distribution on which it is based, on the Full Disclosure security mailing list yesterday.
"It is trivial to generate a GPG key with key ID [matching the master key,]" Guninski explains in his posting, offering details on how to create a signing key that could be used in a man-in-the-middle attack.
It's a major security flaw: by issuing an invalid key update, an attacker could potentially trick a remote Ubuntu system to install arbitrary code disguised as valid updates for installed packages.
As a result of the severity, the Ubuntu team has taken steps to remedy the problem: an update issued late last night to all supported versions of Ubuntu removes the apt-key functionality which can be used to install and updated package signing keys.
Without this package in place, an attacker would have no way to install his invalid key into the system's keyring - but its removal also prevents users from installing valid custom keys, used for third-party repositories from companies including Dropbox and SpiderOak.
Accordingly, the Ubuntu team is working on a more permanent fix to the apt-key system in order to prevent the installation of false keys while still allowing valid new and updated keys to be added to the system, but has thus far not indicated a time scale for the patch's release.