Adding upstream version 2.6.1.upstream/2.6.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 31 insertions, 0 deletions

diff --git a/test/integration/test-cve-2018-0501-mirror-alternatives b/test/integration/test-cve-2018-0501-mirror-alternatives
new file mode 100755
index 0000000..f154547
--- /dev/null
+++ b/test/integration/test-cve-2018-0501-mirror-alternatives
@@ -0,0 +1,31 @@
+#!/bin/sh
+set -e
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture "i386"
+
+buildsimplenativepackage 'foo' 'all' '1' 'stable'
+setupaptarchive --no-update
+changetohttpswebserver
+
+# User has mirror method configured in apt >= 1.6~alpha6 &
+# Eve has enough MITM control over the network to
+# a) have the mirror file include at least two mirrors and
+# b) can send her bad InRelease files for both mirrors
+sed -i -e 's# https:# mirror+https:#' -e 's#/ stable#/mirror.txt stable#' rootdir/etc/apt/sources.list.d/*-stable-*
+echo "http://localhost:${APTHTTPPORT}
+https://localhost:${APTHTTPSPORT}" > aptarchive/mirror.txt
+
+# real Eve would do something worse…
+sed -i "/^Date: / a\
+Evil: yes" $(find ./aptarchive -name 'Release' -o -name 'InRelease')
+
+# progress display shows that the InRelease file was bad,
+# but it is used anyhow as the bad file causes a fallback to
+# a request to the second mirror which completes successful
+# causing apt to believe the verify completed successfully…
+testfailure apt update
+testfailure grep '^Evil:' rootdir/var/lib/apt/lists/*Release
+testfailure apt show foo