[apt.git] / test / integration / test-cve-2013-1051-InRelease-parsing

#!/bin/sh
set -e

TESTDIR=$(readlink -f $(dirname $0))
. $TESTDIR/framework

setupenvironment
configarchitecture 'i386'

insertpackage 'stable' 'good-pkg' 'all' '1.0'

setupaptarchive

changetowebserver
ARCHIVE="http://localhost:${APTHTTPPORT}"
msgtest 'Initial apt-get update should work with' 'InRelease'
testsuccess --nomsg aptget update

# check that the setup is correct
testsuccessequal "good-pkg:
  Installed: (none)
  Candidate: 1.0
  Version table:
     1.0 500
        500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg

# now exchange to the Packages file, note that this could be
# done via MITM too
insertpackage 'stable' 'bad-mitm' 'all' '1.0'

# this builds compressed files and a new (unsigned) Release
buildaptarchivefromfiles '+1hour'

# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
# to trick apt - this is still legal to gpg(v)
sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/  /g'  aptarchive/dists/stable/InRelease

# we append the (evil unsigned) Release file to the (good signed) InRelease
cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
touch -d '+1hour' aptarchive/dists/stable/InRelease

# ensure the update doesn't load bad data as good data
# Note that we will pick up the InRelease itself as we download no other
# indexes which would trigger a hashsum mismatch, but we ignore the 'bad'
# part of the InRelease
listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst
msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
testsuccessequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
Reading package lists..." --nomsg aptget update
testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')"

# ensure there is no package
testfailureequal 'Reading package lists...
Building dependency tree...
E: Unable to locate package bad-mitm' aptget install bad-mitm -s

# and verify that its not picked up
testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0

# and that the right one is used
testsuccessequal "good-pkg:
  Installed: (none)
  Candidate: 1.0
  Version table:
     1.0 500
        500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg
Commit	Line	Data
34747d46 DK	1	#!/bin/sh
	2	set -e
	3
	4	TESTDIR=$(readlink -f $(dirname $0))
	5	. $TESTDIR/framework
	6
	7	setupenvironment
	8	configarchitecture 'i386'
	9
	10	insertpackage 'stable' 'good-pkg' 'all' '1.0'
	11
	12	setupaptarchive
	13
	14	changetowebserver
6c0765c0	15	ARCHIVE="http://localhost:${APTHTTPPORT}"
34747d46	16	msgtest 'Initial apt-get update should work with' 'InRelease'
0440d936	17	testsuccess --nomsg aptget update
34747d46 DK	18
34747d46 DK	19	# check that the setup is correct
25b86db1	20	testsuccessequal "good-pkg:
34747d46 DK	21	Installed: (none)
	22	Candidate: 1.0
	23	Version table:
76b004d1	24	1.0 500
34747d46 DK	25	500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg
	26
	27	# now exchange to the Packages file, note that this could be
	28	# done via MITM too
	29	insertpackage 'stable' 'bad-mitm' 'all' '1.0'
	30
	31	# this builds compressed files and a new (unsigned) Release
	32	buildaptarchivefromfiles '+1hour'
	33
	34	# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
	35	# to trick apt - this is still legal to gpg(v)
	36	sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease
	37
	38	# we append the (evil unsigned) Release file to the (good signed) InRelease
	39	cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
e3c62328	40	touch -d '+1hour' aptarchive/dists/stable/InRelease
34747d46	41
8d041b4f DK	42	# ensure the update doesn't load bad data as good data
	43	# Note that we will pick up the InRelease itself as we download no other
	44	# indexes which would trigger a hashsum mismatch, but we ignore the 'bad'
	45	# part of the InRelease
	46	listcurrentlistsdirectory \| sed '/_InRelease/ d' > listsdir.lst
	47	msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
6c0765c0	48	testsuccessequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
8d041b4f DK	49	Reading package lists..." --nomsg aptget update
8d041b4f DK	50	testfileequal './listsdir.lst' "$(listcurrentlistsdirectory \| sed '/_InRelease/ d')"
34747d46 DK	51
34747d46 DK	52	# ensure there is no package
25b86db1	53	testfailureequal 'Reading package lists...
34747d46 DK	54	Building dependency tree...
	55	E: Unable to locate package bad-mitm' aptget install bad-mitm -s
	56
	57	# and verify that its not picked up
25b86db1	58	testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0
34747d46 DK	59
34747d46 DK	60	# and that the right one is used
25b86db1	61	testsuccessequal "good-pkg:
34747d46 DK	62	Installed: (none)
	63	Candidate: 1.0
	64	Version table:
76b004d1	65	1.0 500
34747d46	66	500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg