Is PGP secure against a rogue keyserver?
A PGP key server is just a big wall where anybody can glue some piece of paper, to the view of all people who happen to walk along the wall. Nobody actually trusts the wall for providing any kind of assertion about the truthfulness of what is written on the papers; that's just a wall, an archetype of mindlessness.
A PGP public key might be trusted, or not, depending on the signatures by other key bearers that you will find on that key. This is the Web of Trust, the kind of PKI that PGP uses. Signatures are completely independent of how the signed data was stored and transferred, and that's the whole point: nothing in this system relies on the key servers to enforce any security property at any point; and, similarly, signed keys can be sent over emails, phone lines or even avian carriers: it does not matter.
The worst a rogue key server can do is to cease to do its job, e.g. by deleting some of the keys is contains. It won't have much impact, except that it would make it more difficult for people who do not know each other, and yet want to send emails to each other, to build chains of signed keys and gain some trust in their respective public keys.
Ultimately it is chain of "trust" for a reason. At some point you have to trust, either a web of trust based on individual certificates that you have verified or by trusting some third party to be reliable. If you trust the wrong party, everything breaks down. Trust isn't a magic cure-all, it's just a way to evaluate how much trust you've placed in something based on decisions you've made about who to trust.
Keep in mind that you CAN validate a public key from your private key to ensure it matches. If you encrypt something with your private key, it should decrypt with the public key. If it doesn't, it isn't your public key.
Also keep in mind that it is still possible to contact someone directly to give a thumbprint of the public certificate to ensure it was unaltered and it is also possible to use a key from a local store once it is obtained. This greatly limits what Eve can do as she can only attack the first key exchange and can't easily compromise the secondary verification of a thumbprint between the two parties via another channel without a pretty sophisticated attack. This secondary secure channel verification should be done on any keys that don't already have trust (through signing or other secure mechanisms) to ensure the public keys have not been tampered with.
The real take away should be to understand that giving any key server or individual in a web of trust your trust means that you must actually trust them. If you don't trust your security to them, then either don't trust them or take alternate measures to ensure that what you get from them is valid.