Jann Horn of Google Project Zero discovered that APT, the high level package manager, does not properly handle errors when validating signatures on InRelease files. An attacker able to man-in-the-middle HTTP requests to an apt repository that uses InRelease files , can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution.