simulate_mitm_and_inject_evil_package()
{
redatereleasefiles '+1 hour'
- rm -f "$APTARCHIVE/dists/unstable/InRelease"
- rm -f "$APTARCHIVE/dists/unstable/Release.gpg"
+ rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
inject_evil_package
}
assert_update_is_refused_and_last_good_state_used()
{
testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed.
-N: Updating such a repository securily is impossible and therefore disabled by default.
+N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update
assert_repo_is_intact
test_from_inrelease_to_unsigned()
{
- # setup archive with InRelease file
+ export APT_DONT_SIGN='Release.gpg'
setupaptarchive_with_lists_clean
testsuccess aptget update
listcurrentlistsdirectory > lists.before
test_from_release_gpg_to_unsigned()
{
- # setup archive with Release/Release.gpg (but no InRelease)
+ export APT_DONT_SIGN='InRelease'
setupaptarchive_with_lists_clean
- rm "$APTARCHIVE/dists/unstable/InRelease"
testsuccess aptget update
listcurrentlistsdirectory > lists.before
test_from_inrelease_to_unsigned_with_override()
{
+ export APT_DONT_SIGN='Release.gpg'
# setup archive with InRelease file
setupaptarchive_with_lists_clean
testsuccess aptget update
#
# Still worth having a regression test the simulates the condition
- # setup archive with InRelease
+ export APT_DONT_SIGN='Release.gpg'
setupaptarchive_with_lists_clean
testsuccess aptget update
listcurrentlistsdirectory > lists.before
# do what CVE-2012-0214 did
- rm "$APTARCHIVE/dists/unstable/InRelease"
- rm "$APTARCHIVE/dists/unstable/Release.gpg"
+ rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
inject_evil_package
# build valid Release file
- aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release
+ aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release
assert_update_is_refused_and_last_good_state_used
testfileequal lists.before "$(listcurrentlistsdirectory)"
test_subvert_inrelease()
{
- # setup archive with InRelease
+ export APT_DONT_SIGN='Release.gpg'
setupaptarchive_with_lists_clean
testsuccess aptget update
listcurrentlistsdirectory > lists.before
# replace InRelease with something else
mv "$APTARCHIVE/dists/unstable/Release" "$APTARCHIVE/dists/unstable/InRelease"
- testfailuremsg "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
+ testfailuremsg "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update
# ensure we keep the repo
test_inrelease_to_invalid_inrelease()
{
- # setup archive with InRelease
+ export APT_DONT_SIGN='Release.gpg'
setupaptarchive_with_lists_clean
testsuccess aptget update
listcurrentlistsdirectory > lists.before
test_release_gpg_to_invalid_release_release_gpg()
{
- # setup archive with InRelease
+ export APT_DONT_SIGN='InRelease'
setupaptarchive_with_lists_clean
- rm "$APTARCHIVE/dists/unstable/InRelease"
testsuccess aptget update
listcurrentlistsdirectory > lists.before
}
-TESTDIR=$(readlink -f $(dirname $0))
-. $TESTDIR/framework
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
setupenvironment
configarchitecture "i386"
msgmsg "test_cve_2012_0214"
test_cve_2012_0214
-# ensure InRelase can not be subverted
+# ensure InRelease can not be subverted
msgmsg "test_subvert_inrelease"
test_subvert_inrelease