test/integration/test-cve-2013-1051-InRelease-parsing

   1 #!/bin/sh
   2 set -e
   3
   4 TESTDIR="$(readlink -f "$(dirname "$0")")"
   5 . "$TESTDIR/framework"
   6
   7 setupenvironment
   8 configarchitecture 'i386'
   9
  10 insertpackage 'stable' 'good-pkg' 'all' '1.0'
  11
  12 setupaptarchive
  13
  14 changetowebserver
  15 ARCHIVE="http://localhost:${APTHTTPPORT}"
  16 msgtest 'Initial apt-get update should work with' 'InRelease'
  17 testsuccess --nomsg aptget update
  18
  19 # check that the setup is correct
  20 testsuccessequal "good-pkg:
  21   Installed: (none)
  22   Candidate: 1.0
  23   Version table:
  24      1.0 500
  25         500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg
  26
  27 # now exchange to the Packages file, note that this could be
  28 # done via MITM too
  29 insertpackage 'stable' 'bad-mitm' 'all' '1.0'
  30
  31 # this builds compressed files and a new (unsigned) Release
  32 buildaptarchivefromfiles '+1hour'
  33
  34 # add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
  35 # to trick apt - this is still legal to gpg(v)
  36 sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/  /g'  aptarchive/dists/stable/InRelease
  37
  38 # we append the (evil unsigned) Release file to the (good signed) InRelease
  39 cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
  40 touch -d '+1hour' aptarchive/dists/stable/InRelease
  41
  42 # ensure the update doesn't load bad data as good data
  43 # Note that we will pick up the InRelease itself as we download no other
  44 # indexes which would trigger a hashsum mismatch, but we ignore the 'bad'
  45 # part of the InRelease
  46 listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst
  47 msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
  48 testsuccessequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
  49 Reading package lists..." --nomsg aptget update
  50 testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')"
  51
  52 # ensure there is no package
  53 testfailureequal 'Reading package lists...
  54 Building dependency tree...
  55 E: Unable to locate package bad-mitm' aptget install bad-mitm -s
  56
  57 # and verify that its not picked up
  58 testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm
  59
  60 # and that the right one is used
  61 testsuccessequal "good-pkg:
  62   Installed: (none)
  63   Candidate: 1.0
  64   Version table:
  65      1.0 500
  66         500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg