summaryrefslogtreecommitdiffstats
path: root/test/integration/test-cve-2013-1051-InRelease-parsing
blob: 1f0cbda046833476bf6f2690625177276296f2a9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture 'i386'

insertpackage 'stable' 'good-pkg' 'all' '1.0'

setupaptarchive

changetowebserver
ARCHIVE="http://localhost:${APTHTTPPORT}"
msgtest 'Initial apt-get update should work with' 'InRelease'
testsuccess --nomsg aptget update

# check that the setup is correct
testsuccessequal "good-pkg:
  Installed: (none)
  Candidate: 1.0
  Version table:
     1.0 500
        500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg

# now exchange to the Packages file, note that this could be
# done via MITM too
insertpackage 'stable' 'bad-mitm' 'all' '1.0'

# this builds compressed files and a new (unsigned) Release
buildaptarchivefromfiles '+1hour'

# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
# to trick apt - this is still legal to gpg(v)
sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/  /g'  aptarchive/dists/stable/InRelease

# we append the (evil unsigned) Release file to the (good signed) InRelease
cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
touch -d '+1hour' aptarchive/dists/stable/InRelease

# ensure the update doesn't load bad data as good data
# Note that we will pick up the InRelease itself as we download no other
# indexes which would trigger a hashsum mismatch, but we ignore the 'bad'
# part of the InRelease
listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst
msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
testwarningequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
Err:1 http://localhost:${APTHTTPPORT} stable InRelease
  Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
Reading package lists...
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://localhost:${APTHTTPPORT} stable InRelease: Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
W: Failed to fetch http://localhost:${APTHTTPPORT}/dists/stable/InRelease  Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
W: Some index files failed to download. They have been ignored, or old ones used instead." --nomsg aptget update
testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')"

# ensure there is no package
testfailureequal 'Reading package lists...
Building dependency tree...
E: Unable to locate package bad-mitm' aptget install bad-mitm -s

# and verify that its not picked up
testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm

# and that the right one is used
testsuccessequal "good-pkg:
  Installed: (none)
  Candidate: 1.0
  Version table:
     1.0 500
        500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg