]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | # | |
3 | # ensure we never fallback from a signed to a unsigned repo | |
4 | # | |
5 | # hash checks are done in | |
6 | # | |
7 | set -e | |
8 | ||
9 | simulate_mitm_and_inject_evil_package() | |
10 | { | |
11 | redatereleasefiles '+1 hour' | |
12 | rm -f $APTARCHIVE/dists/unstable/InRelease | |
13 | rm -f $APTARCHIVE/dists/unstable/Release.gpg | |
14 | inject_evil_package | |
15 | } | |
16 | ||
17 | inject_evil_package() | |
18 | { | |
19 | cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages <<EOF | |
20 | Package: evil | |
21 | Installed-Size: 29 | |
22 | Maintainer: Joe Sixpack <joe@example.org> | |
23 | Architecture: all | |
24 | Version: 1.0 | |
25 | Filename: pool/evil_1.0_all.deb | |
26 | Size: 1270 | |
27 | Description: an autogenerated evil package | |
28 | EOF | |
29 | # avoid ims hit | |
30 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
31 | compressfile aptarchive/dists/unstable/main/binary-i386/Packages | |
32 | } | |
33 | ||
34 | assert_update_is_refused_and_last_good_state_used() | |
35 | { | |
36 | testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update | |
37 | ||
38 | assert_repo_is_intact | |
39 | } | |
40 | ||
41 | assert_repo_is_intact() | |
42 | { | |
43 | testsuccessequal "foo/unstable 2.0 all" apt list -q | |
44 | testsuccess aptget install -y -s foo | |
45 | testfailure aptget install -y evil | |
46 | testsuccess aptget source foo --print-uris | |
47 | ||
48 | LISTDIR=rootdir/var/lib/apt/lists | |
49 | if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || | |
50 | ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then | |
51 | echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" | |
52 | msgfail | |
53 | fi | |
54 | } | |
55 | ||
56 | setupaptarchive_with_lists_clean() | |
57 | { | |
58 | setupaptarchive --no-update | |
59 | rm -rf rootdir/var/lib/apt/lists | |
60 | } | |
61 | ||
62 | test_from_inrelease_to_unsigned() | |
63 | { | |
64 | # setup archive with InRelease file | |
65 | setupaptarchive_with_lists_clean | |
66 | testsuccess aptget update | |
67 | listcurrentlistsdirectory > lists.before | |
68 | ||
69 | simulate_mitm_and_inject_evil_package | |
70 | assert_update_is_refused_and_last_good_state_used | |
71 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
72 | } | |
73 | ||
74 | test_from_release_gpg_to_unsigned() | |
75 | { | |
76 | # setup archive with Release/Release.gpg (but no InRelease) | |
77 | setupaptarchive_with_lists_clean | |
78 | rm $APTARCHIVE/dists/unstable/InRelease | |
79 | testsuccess aptget update | |
80 | listcurrentlistsdirectory > lists.before | |
81 | ||
82 | simulate_mitm_and_inject_evil_package | |
83 | assert_update_is_refused_and_last_good_state_used | |
84 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
85 | } | |
86 | ||
87 | test_from_inrelease_to_unsigned_with_override() | |
88 | { | |
89 | # setup archive with InRelease file | |
90 | setupaptarchive_with_lists_clean | |
91 | testsuccess aptget update | |
92 | ||
93 | # simulate moving to a unsigned but otherwise valid repo | |
94 | simulate_mitm_and_inject_evil_package | |
95 | generatereleasefiles '+2 hours' | |
96 | find $APTARCHIVE -name '*Packages*' -exec touch -d '+2 hours' {} \; | |
97 | ||
98 | # and ensure we can update to it (with enough force) | |
99 | testwarning aptget update --allow-insecure-repositories \ | |
100 | -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 | |
101 | # but that the individual packages are still considered untrusted | |
102 | testfailureequal "WARNING: The following packages cannot be authenticated! | |
103 | evil | |
104 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil | |
105 | } | |
106 | ||
107 | test_cve_2012_0214() | |
108 | { | |
109 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
110 | # | |
111 | # it was possible to MITM the download so that InRelease/Release.gpg | |
112 | # are not delivered (404) and a altered Release file was send | |
113 | # | |
114 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
115 | # the unauthenticated Release file too giving the false impression that | |
116 | # Release was authenticated | |
117 | # | |
118 | # Note that this is pretty much impossible nowadays because: | |
119 | # a) InRelease is left as is, not split to InRelease/Release as it was | |
120 | # in the old days | |
121 | # b) we refuse to go from signed->unsigned | |
122 | # | |
123 | # Still worth having a regression test the simulates the condition | |
124 | ||
125 | # setup archive with InRelease | |
126 | setupaptarchive_with_lists_clean | |
127 | testsuccess aptget update | |
128 | listcurrentlistsdirectory > lists.before | |
129 | ||
130 | # do what CVE-2012-0214 did | |
131 | rm $APTARCHIVE/dists/unstable/InRelease | |
132 | rm $APTARCHIVE/dists/unstable/Release.gpg | |
133 | inject_evil_package | |
134 | # build valid Release file | |
135 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
136 | ||
137 | assert_update_is_refused_and_last_good_state_used | |
138 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
139 | ||
140 | # ensure there is no _Release file downloaded | |
141 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
142 | } | |
143 | ||
144 | test_subvert_inrelease() | |
145 | { | |
146 | # setup archive with InRelease | |
147 | setupaptarchive_with_lists_clean | |
148 | testsuccess aptget update | |
149 | listcurrentlistsdirectory > lists.before | |
150 | ||
151 | # replace InRelease with something else | |
152 | mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease | |
153 | ||
154 | testfailuremsg "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) | |
155 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update | |
156 | ||
157 | # ensure we keep the repo | |
158 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
159 | assert_repo_is_intact | |
160 | } | |
161 | ||
162 | test_inrelease_to_invalid_inrelease() | |
163 | { | |
164 | # setup archive with InRelease | |
165 | setupaptarchive_with_lists_clean | |
166 | testsuccess aptget update | |
167 | listcurrentlistsdirectory > lists.before | |
168 | ||
169 | # now remove InRelease and subvert Release do no longer verify | |
170 | sed -i 's/^Codename:.*/Codename: evil!/' $APTARCHIVE/dists/unstable/InRelease | |
171 | inject_evil_package | |
172 | ||
173 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
174 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
175 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
176 | ||
177 | # ensure we keep the repo | |
178 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease | |
179 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
180 | assert_repo_is_intact | |
181 | } | |
182 | ||
183 | test_release_gpg_to_invalid_release_release_gpg() | |
184 | { | |
185 | # setup archive with InRelease | |
186 | setupaptarchive_with_lists_clean | |
187 | rm $APTARCHIVE/dists/unstable/InRelease | |
188 | testsuccess aptget update | |
189 | listcurrentlistsdirectory > lists.before | |
190 | ||
191 | # now subvert Release do no longer verify | |
192 | echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release | |
193 | inject_evil_package | |
194 | ||
195 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
196 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
197 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
198 | ||
199 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release | |
200 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
201 | assert_repo_is_intact | |
202 | } | |
203 | ||
204 | ||
205 | TESTDIR=$(readlink -f $(dirname $0)) | |
206 | . $TESTDIR/framework | |
207 | ||
208 | setupenvironment | |
209 | configarchitecture "i386" | |
210 | ||
211 | # a "normal" package with source and binary | |
212 | buildsimplenativepackage 'foo' 'all' '2.0' | |
213 | ||
214 | # setup the archive and ensure we have a single package that installs fine | |
215 | setupaptarchive | |
216 | APTARCHIVE=$(readlink -f ./aptarchive) | |
217 | assert_repo_is_intact | |
218 | ||
219 | # test the various cases where a repo may go from signed->unsigned | |
220 | msgmsg "test_from_inrelease_to_unsigned" | |
221 | test_from_inrelease_to_unsigned | |
222 | ||
223 | msgmsg "test_from_release_gpg_to_unsigned" | |
224 | test_from_release_gpg_to_unsigned | |
225 | ||
226 | # ensure we do not regress on CVE-2012-0214 | |
227 | msgmsg "test_cve_2012_0214" | |
228 | test_cve_2012_0214 | |
229 | ||
230 | # ensure InRelase can not be subverted | |
231 | msgmsg "test_subvert_inrelease" | |
232 | test_subvert_inrelease | |
233 | ||
234 | # ensure we revert to last good state if InRelease does not verify | |
235 | msgmsg "test_inrelease_to_invalid_inrelease" | |
236 | test_inrelease_to_invalid_inrelease | |
237 | ||
238 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
239 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
240 | test_release_gpg_to_invalid_release_release_gpg | |
241 | ||
242 | # ensure we can override the downgrade error | |
243 | msgmsg "test_from_inrelease_to_unsigned_with_override" | |
244 | test_from_inrelease_to_unsigned_with_override |