test/integration/test-apt-update-file

   1 #!/bin/sh
   2 #
   3 # Ensure that we do not modify file:/// uris (regression test for
   4 # CVE-2014-0487
   5 #
   6 set -e
   7
   8 TESTDIR="$(readlink -f "$(dirname "$0")")"
   9 . "$TESTDIR/framework"
  10
  11 setupenvironment
  12 configarchitecture "amd64"
  13 configcompression 'bz2' 'gz'
  14 confighashes 'SHA512'
  15
  16 insertpackage 'unstable' 'foo' 'all' '1'
  17 insertpackage 'unstable' 'bar' 'amd64' '1'
  18 insertsource 'unstable' 'foo' 'all' '1'
  19
  20 setupaptarchive --no-update
  21
  22 # ensure the archive is not writable
  23 addtrap 'prefix' 'chmod 755 aptarchive/dists/unstable/main/binary-all;'
  24 if [ "$(id -u)" = '0' ]; then
  25         # too deep to notice it, but it also unlikely that files in the same repo have different permissions
  26         chmod 500 aptarchive/dists/unstable/main/binary-all
  27         testfailure aptget update
  28         rm -rf rootdir/var/lib/apt/lists
  29         chmod 755 aptarchive/dists/unstable/main/binary-all
  30         testsuccess aptget update
  31         rm -rf rootdir/var/lib/apt/lists
  32         chmod 511 aptarchive/dists/
  33         testsuccess aptget update
  34         rm -rf rootdir/var/lib/apt/lists
  35         chmod 510 aptarchive/dists/
  36         testsuccesswithnotice aptget update
  37         rm -rf rootdir/var/lib/apt/lists
  38         chmod 500 aptarchive/dists/
  39         testsuccesswithnotice aptget update
  40         exit
  41 fi
  42 chmod 555 aptarchive/dists/unstable/main/binary-all
  43 testsuccess aptget update
  44
  45 # the release files aren't an IMS-hit, but the indexes are
  46 redatereleasefiles '+1 hour'
  47
  48 # we don't download the index if it isn't updated
  49 testsuccess aptget update -o Debug::pkgAcquire::Auth=1
  50 # file:/ isn't shown in the log, so see if it was downloaded anyhow
  51 cp -a rootdir/tmp/testsuccess.output rootdir/tmp/update.output
  52 canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-all/Packages.bz2 | sha512sum |cut -f1 -d' ')"
  53 testfailure grep -- "$canary" rootdir/tmp/update.output
  54
  55 testfoo() {
  56         # foo is still available
  57         testsuccess aptget install -s foo
  58         testsuccess aptcache showsrc foo
  59         testsuccess aptget source foo --print-uris
  60 }
  61 testfoo
  62
  63 # the release file is new again, the index still isn't, but it is somehow gone now from disk
  64 redatereleasefiles '+2 hour'
  65 find rootdir/var/lib/apt/lists -name '*_Packages*' -delete
  66
  67 testsuccess aptget update -o Debug::pkgAcquire::Auth=1
  68 # file:/ isn't shown in the log, so see if it was downloaded anyhow
  69 cp -a rootdir/tmp/testsuccess.output rootdir/tmp/update.output
  70 canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-all/Packages.bz2 | sha512sum |cut -f1 -d' ')"
  71 testsuccess grep -- "$canary" rootdir/tmp/update.output
  72
  73 testfoo