summaryrefslogtreecommitdiffstats
path: root/test/integration/test-cve-2013-1051-InRelease-parsing
diff options
context:
space:
mode:
Diffstat (limited to 'test/integration/test-cve-2013-1051-InRelease-parsing')
-rwxr-xr-xtest/integration/test-cve-2013-1051-InRelease-parsing71
1 files changed, 71 insertions, 0 deletions
diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing
new file mode 100755
index 0000000..1f0cbda
--- /dev/null
+++ b/test/integration/test-cve-2013-1051-InRelease-parsing
@@ -0,0 +1,71 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture 'i386'
+
+insertpackage 'stable' 'good-pkg' 'all' '1.0'
+
+setupaptarchive
+
+changetowebserver
+ARCHIVE="http://localhost:${APTHTTPPORT}"
+msgtest 'Initial apt-get update should work with' 'InRelease'
+testsuccess --nomsg aptget update
+
+# check that the setup is correct
+testsuccessequal "good-pkg:
+ Installed: (none)
+ Candidate: 1.0
+ Version table:
+ 1.0 500
+ 500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg
+
+# now exchange to the Packages file, note that this could be
+# done via MITM too
+insertpackage 'stable' 'bad-mitm' 'all' '1.0'
+
+# this builds compressed files and a new (unsigned) Release
+buildaptarchivefromfiles '+1hour'
+
+# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
+# to trick apt - this is still legal to gpg(v)
+sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease
+
+# we append the (evil unsigned) Release file to the (good signed) InRelease
+cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
+touch -d '+1hour' aptarchive/dists/stable/InRelease
+
+# ensure the update doesn't load bad data as good data
+# Note that we will pick up the InRelease itself as we download no other
+# indexes which would trigger a hashsum mismatch, but we ignore the 'bad'
+# part of the InRelease
+listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst
+msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
+testwarningequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
+Err:1 http://localhost:${APTHTTPPORT} stable InRelease
+ Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
+Reading package lists...
+W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://localhost:${APTHTTPPORT} stable InRelease: Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
+W: Failed to fetch http://localhost:${APTHTTPPORT}/dists/stable/InRelease Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
+W: Some index files failed to download. They have been ignored, or old ones used instead." --nomsg aptget update
+testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')"
+
+# ensure there is no package
+testfailureequal 'Reading package lists...
+Building dependency tree...
+E: Unable to locate package bad-mitm' aptget install bad-mitm -s
+
+# and verify that its not picked up
+testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm
+
+# and that the right one is used
+testsuccessequal "good-pkg:
+ Installed: (none)
+ Candidate: 1.0
+ Version table:
+ 1.0 500
+ 500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg