merged bundle from david

[apt.git] / test / integration / test-cve-2013-1051-InRelease-parsing

#!/bin/sh
set -e

TESTDIR=$(readlink -f $(dirname $0))
. $TESTDIR/framework

setupenvironment
configarchitecture 'i386'

insertpackage 'stable' 'good-pkg' 'all' '1.0'

setupaptarchive

changetowebserver
ARCHIVE='http://localhost/'
msgtest 'Initial apt-get update should work with' 'InRelease'
aptget update -qq && msgpass || msgfail

# check that the setup is correct
testequal "good-pkg:
  Installed: (none)
  Candidate: 1.0
  Version table:
     1.0 0
        500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg

# now exchange to the Packages file, note that this could be
# done via MITM too
insertpackage 'stable' 'bad-mitm' 'all' '1.0'

# this builds compressed files and a new (unsigned) Release
buildaptarchivefromfiles '+1hour'

# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
# to trick apt - this is still legal to gpg(v)
sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/  /g'  aptarchive/dists/stable/InRelease

# we append the (evil unsigned) Release file to the (good signed) InRelease
cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease


# ensure the update fails
# useful for debugging to add "-o Debug::pkgAcquire::auth=true"
msgtest 'apt-get update for should fail with the modified' 'InRelease'
aptget update 2>&1 | grep -q 'Hash Sum mismatch' > /dev/null && msgpass || msgfail

# ensure there is no package
testequal 'Reading package lists...
Building dependency tree...
E: Unable to locate package bad-mitm' aptget install bad-mitm -s

# and verify that its not picked up
testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0

# and that the right one is used
testequal "good-pkg:
  Installed: (none)
  Candidate: 1.0
  Version table:
     1.0 0
        500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg