From 851b6a097165af4d51c0db01b5e05256e5006896 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 11:00:48 +0200 Subject: Adding upstream version 2.6.1. Signed-off-by: Daniel Baumann --- .../test-cve-2013-1051-InRelease-parsing | 71 ++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100755 test/integration/test-cve-2013-1051-InRelease-parsing (limited to 'test/integration/test-cve-2013-1051-InRelease-parsing') diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing new file mode 100755 index 0000000..1f0cbda --- /dev/null +++ b/test/integration/test-cve-2013-1051-InRelease-parsing @@ -0,0 +1,71 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture 'i386' + +insertpackage 'stable' 'good-pkg' 'all' '1.0' + +setupaptarchive + +changetowebserver +ARCHIVE="http://localhost:${APTHTTPPORT}" +msgtest 'Initial apt-get update should work with' 'InRelease' +testsuccess --nomsg aptget update + +# check that the setup is correct +testsuccessequal "good-pkg: + Installed: (none) + Candidate: 1.0 + Version table: + 1.0 500 + 500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg + +# now exchange to the Packages file, note that this could be +# done via MITM too +insertpackage 'stable' 'bad-mitm' 'all' '1.0' + +# this builds compressed files and a new (unsigned) Release +buildaptarchivefromfiles '+1hour' + +# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part +# to trick apt - this is still legal to gpg(v) +sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease + +# we append the (evil unsigned) Release file to the (good signed) InRelease +cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease +touch -d '+1hour' aptarchive/dists/stable/InRelease + +# ensure the update doesn't load bad data as good data +# Note that we will pick up the InRelease itself as we download no other +# indexes which would trigger a hashsum mismatch, but we ignore the 'bad' +# part of the InRelease +listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst +msgtest 'apt-get update should ignore unsigned data in the' 'InRelease' +testwarningequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B] +Err:1 http://localhost:${APTHTTPPORT} stable InRelease + Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed +Reading package lists... +W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://localhost:${APTHTTPPORT} stable InRelease: Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed +W: Failed to fetch http://localhost:${APTHTTPPORT}/dists/stable/InRelease Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed +W: Some index files failed to download. They have been ignored, or old ones used instead." --nomsg aptget update +testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')" + +# ensure there is no package +testfailureequal 'Reading package lists... +Building dependency tree... +E: Unable to locate package bad-mitm' aptget install bad-mitm -s + +# and verify that its not picked up +testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm + +# and that the right one is used +testsuccessequal "good-pkg: + Installed: (none) + Candidate: 1.0 + Version table: + 1.0 500 + 500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg -- cgit v1.2.3