]>
Commit | Line | Data |
---|---|---|
631a7dc7 MV |
1 | #!/bin/sh |
2 | # | |
3 | # ensure we never fallback from a signed to a unsigned repo | |
4 | # | |
5 | # hash checks are done in | |
6 | # | |
7 | set -e | |
8 | ||
9 | simulate_mitm_and_inject_evil_package() | |
10 | { | |
11 | rm -f $APTARCHIVE/dists/unstable/InRelease | |
12 | rm -f $APTARCHIVE/dists/unstable/Release.gpg | |
13 | inject_evil_package | |
14 | } | |
15 | ||
16 | inject_evil_package() | |
17 | { | |
18 | cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages <<EOF | |
19 | Package: evil | |
20 | Installed-Size: 29 | |
21 | Maintainer: Joe Sixpack <joe@example.org> | |
22 | Architecture: all | |
23 | Version: 1.0 | |
24 | Filename: pool/evil_1.0_all.deb | |
25 | Size: 1270 | |
26 | Description: an autogenerated evil package | |
27 | EOF | |
28 | # avoid ims hit | |
29 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
30 | } | |
31 | ||
32 | assert_update_is_refused_and_last_good_state_used() | |
33 | { | |
34 | testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq | |
35 | ||
36 | assert_repo_is_intact | |
37 | } | |
38 | ||
39 | assert_repo_is_intact() | |
40 | { | |
41 | testequal "foo/unstable 2.0 all" apt list -q | |
42 | testsuccess "" aptget install -y -s foo | |
43 | testfailure "" aptget install -y evil | |
44 | ||
45 | LISTDIR=rootdir/var/lib/apt/lists | |
46 | if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || | |
47 | ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then | |
48 | echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" | |
49 | msgfail | |
50 | fi | |
51 | } | |
52 | ||
53 | setupaptarchive_with_lists_clean() | |
54 | { | |
55 | setupaptarchive --no-update | |
56 | rm -f rootdir/var/lib/apt/lists/_* | |
57 | #rm -rf rootdir/var/lib/apt/lists | |
58 | } | |
59 | ||
60 | test_from_inrelease_to_unsigned() | |
61 | { | |
62 | # setup archive with InRelease file | |
63 | setupaptarchive_with_lists_clean | |
64 | testsuccess aptget update | |
65 | ||
66 | simulate_mitm_and_inject_evil_package | |
67 | assert_update_is_refused_and_last_good_state_used | |
68 | } | |
69 | ||
70 | test_from_release_gpg_to_unsigned() | |
71 | { | |
72 | # setup archive with Release/Release.gpg (but no InRelease) | |
73 | setupaptarchive_with_lists_clean | |
74 | rm $APTARCHIVE/dists/unstable/InRelease | |
75 | testsuccess aptget update | |
76 | ||
77 | simulate_mitm_and_inject_evil_package | |
78 | assert_update_is_refused_and_last_good_state_used | |
79 | } | |
80 | ||
81 | test_cve_2012_0214() | |
82 | { | |
83 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
84 | # | |
85 | # it was possible to MITM the download so that InRelease/Release.gpg | |
86 | # are not delivered (404) and a altered Release file was send | |
87 | # | |
88 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
89 | # the unauthenticated Release file too giving the false impression that | |
90 | # Release was authenticated | |
91 | # | |
92 | # Note that this is pretty much impossible nowdays because: | |
93 | # a) InRelease is left as is, not split to InRelease/Release as it was | |
94 | # in the old days | |
95 | # b) we refuse to go from signed->unsigned | |
96 | # | |
97 | # Still worth having a regression test the simulates the condition | |
98 | ||
99 | # setup archive with InRelease | |
100 | setupaptarchive_with_lists_clean | |
101 | testsuccess aptget update | |
102 | ||
103 | # do what CVE-2012-0214 did | |
104 | rm $APTARCHIVE/dists/unstable/InRelease | |
105 | rm $APTARCHIVE/dists/unstable/Release.gpg | |
106 | inject_evil_package | |
107 | # build valid Release file | |
108 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
109 | ||
110 | assert_update_is_refused_and_last_good_state_used | |
111 | ||
112 | # ensure there is no _Release file downloaded | |
113 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
114 | } | |
115 | ||
116 | test_subvert_inrelease() | |
117 | { | |
118 | # setup archive with InRelease | |
119 | setupaptarchive_with_lists_clean | |
120 | testsuccess aptget update | |
121 | ||
122 | # replace InRelease with something else | |
123 | mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease | |
124 | ||
125 | testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Does not start with a cleartext signature | |
126 | ||
127 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
128 | ||
129 | # ensure we keep the repo | |
130 | assert_repo_is_intact | |
131 | } | |
132 | ||
133 | test_inrelease_to_invalid_inrelease() | |
134 | { | |
135 | # setup archive with InRelease | |
136 | setupaptarchive_with_lists_clean | |
137 | testsuccess aptget update | |
138 | ||
139 | # now remove InRelease and subvert Release do no longer verify | |
140 | sed -i 's/Codename.*/Codename: evil!'/ $APTARCHIVE/dists/unstable/InRelease | |
141 | inject_evil_package | |
142 | ||
143 | testequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
144 | ||
145 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease | |
146 | ||
147 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
148 | ||
149 | # ensure we keep the repo | |
150 | assert_repo_is_intact | |
151 | testfailure grep "evil" rootdir/var/lib/apt/lists/*InRelease | |
152 | } | |
153 | ||
154 | test_release_gpg_to_invalid_release_release_gpg() | |
155 | { | |
156 | # setup archive with InRelease | |
157 | setupaptarchive_with_lists_clean | |
158 | rm $APTARCHIVE/dists/unstable/InRelease | |
159 | testsuccess aptget update | |
160 | ||
161 | # now subvert Release do no longer verify | |
162 | echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release | |
163 | inject_evil_package | |
164 | ||
165 | testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq | |
166 | ||
167 | assert_repo_is_intact | |
168 | testfailure grep "evil" rootdir/var/lib/apt/lists/*Release | |
169 | } | |
170 | ||
171 | ||
172 | TESTDIR=$(readlink -f $(dirname $0)) | |
173 | . $TESTDIR/framework | |
174 | ||
175 | setupenvironment | |
176 | configarchitecture "i386" | |
177 | ||
178 | # a "normal" package with source and binary | |
179 | buildsimplenativepackage 'foo' 'all' '2.0' | |
180 | ||
181 | # setup the archive and ensure we have a single package that installs fine | |
182 | setupaptarchive | |
183 | APTARCHIVE=$(readlink -f ./aptarchive) | |
184 | assert_repo_is_intact | |
185 | ||
186 | # test the various cases where a repo may go from signed->unsigned | |
187 | msgmsg "test_from_inrelease_to_unsigned" | |
188 | test_from_inrelease_to_unsigned | |
189 | ||
190 | msgmsg "test_from_release_gpg_to_unsigned" | |
191 | test_from_release_gpg_to_unsigned | |
192 | ||
193 | # ensure we do not regress on CVE-2012-0214 | |
194 | msgmsg "test_cve_2012_0214" | |
195 | test_cve_2012_0214 | |
196 | ||
197 | # ensure InRelase can not be subverted | |
198 | msgmsg "test_subvert_inrelease" | |
199 | test_subvert_inrelease | |
200 | ||
201 | # ensure we revert to last good state if InRelease does not verify | |
202 | msgmsg "test_inrelease_to_invalid_inrelease" | |
203 | test_inrelease_to_invalid_inrelease | |
204 | ||
205 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
206 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
207 | test_release_gpg_to_invalid_release_release_gpg |