"InRelease");
string FinalInRelease = _config->FindDir("Dir::State::lists") + URItoFileName(InReleaseURI);
- if(RealFileExists(Final) || RealFileExists(FinalInRelease))
+ if (RealFileExists(Final) || RealFileExists(FinalInRelease))
{
- _error->Error("The repository '%s' is no longer signed.",
- URIDesc.c_str());
- Rename(MetaIndexFile, MetaIndexFile+".FAILED");
- Status = pkgAcquire::Item::StatError;
- TransactionManager->AbortTransaction();
- return;
+ std::string downgrade_msg;
+ strprintf(downgrade_msg, _("The repository '%s' is no longer signed."),
+ URIDesc.c_str());
+ if(_config->FindB("Acquire::AllowDowngradeToInsecureRepositories"))
+ {
+ // meh, the users wants to take risks (we still mark the packages
+ // from this repository as unauthenticated)
+ _error->Warning("%s", downgrade_msg.c_str());
+ _error->Warning(_("This is normally not allowed, but the option "
+ "Acquire::AllowDowngradeToInsecureRepositories was "
+ "given to override it."));
+
+ } else {
+ _error->Error("%s", downgrade_msg.c_str());
+ Rename(MetaIndexFile, MetaIndexFile+".FAILED");
+ Status = pkgAcquire::Item::StatError;
+ TransactionManager->AbortTransaction();
+ return;
+ }
}
// this ensures that any file in the lists/ dir is removed by the
}
// only allow going further if the users explicitely wants it
- if(_config->FindB("APT::Get::AllowUnauthenticated", false) == true)
+ if(_config->FindB("Acquire::AllowInsecureRepositories") == true)
{
// we parse the indexes here because at this point the user wanted
// a repository that may potentially harm him
}
else
{
- _error->Warning("Use --allow-unauthenticated to force the update");
+ _error->Warning("Use --allow-insecure-repositories to force the update");
}
// FIXME: this is used often (e.g. in pkgAcqIndexTrans) so refactor
// No Release file was present, or verification failed, so fall
// back to queueing Packages files without verification
// only allow going further if the users explicitely wants it
- if(_config->FindB("APT::Get::AllowUnauthenticated", false) == true)
+ if(_config->FindB("Acquire::AllowInsecureRepositories") == true)
{
QueueIndexes(false);
} else {
// warn if the repository is unsinged
- _error->Warning("Use --allow-unauthenticated to force the update");
+ _error->Warning("Use --allow-insecure-repositories to force the update");
}
}
/*}}}*/
Cnf.Set("Dir::Ignore-Files-Silently::", "\\.orig$");
Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$");
+ // Repository security
+ Cnf.CndSet("Acquire::AllowInsecureRepositories", false);
+ Cnf.CndSet("Acquire::AllowDowngradeToInsecureRepositories", false);
+
// Default cdrom mount point
Cnf.CndSet("Acquire::cdrom::mount", "/media/cdrom/");
addArg(0,"only-source","APT::Get::Only-Source",0);
addArg(0,"arch-only","APT::Get::Arch-Only",0);
addArg(0,"allow-unauthenticated","APT::Get::AllowUnauthenticated",0);
+ addArg(0,"allow-insecure-repositories","Acquire::AllowInsecureRepositories",0);
addArg(0,"install-recommends","APT::Install-Recommends",CommandLine::Boolean);
addArg(0,"install-suggests","APT::Install-Suggests",CommandLine::Boolean);
addArg(0,"fix-policy","APT::Get::Fix-Policy-Broken",0);
{
Host-Architecture "armel";
Arch-Only "false";
- AllowUnauthenticated "false";
+ AllowUnauthenticated "false"; // packages from unauthenticated
AutomaticRemove "false";
HideAutoRemove "false";
Download-Only "false";
rm -f $APTARCHIVE/dists/unstable/*Release*
# update without authenticated InRelease file
-testsuccess aptget update --allow-unauthenticated
+testsuccess aptget update --allow-insecure-repositories
# this all should fail
testfailure aptget install -y foo
Ign file: unstable Release
Reading package lists...
W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated.
-W: Use --allow-unauthenticated to force the update" aptget update
+W: Use --allow-insecure-repositories to force the update" aptget update
# no package foo
testequal "Listing..." apt list foo
testequal "Ign file: unstable InRelease
Ign file: unstable Release
Reading package lists...
-W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-unauthenticated
+W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-insecure-repositories
# ensure we can not install the package
testequal "WARNING: The following packages cannot be authenticated!
assert_update_is_refused_and_last_good_state_used
}
+test_from_inrelease_to_unsigned_with_override()
+{
+ # setup archive with InRelease file
+ setupaptarchive_with_lists_clean
+ testsuccess aptget update
+
+ # simulate moving to a unsigned but otherwise valid repo
+ simulate_mitm_and_inject_evil_package
+ generatereleasefiles
+
+ # and ensure we can update to it (with enough force)
+ testsuccess aptget update --allow-insecure-repositories \
+ -o Acquire::AllowDowngradeToInsecureRepositories=1
+ # but that the individual packages are still considered untrusted
+ testequal "WARNING: The following packages cannot be authenticated!
+ evil
+E: There are problems and -y was used without --force-yes" aptget install -qq -y evil
+}
+
test_cve_2012_0214()
{
# see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108
# ensure we revert to last good state if Release/Release.gpg does not verify
msgmsg "test_release_gpg_to_invalid_release_release_gpg"
test_release_gpg_to_invalid_release_release_gpg
+
+# ensure we can ovveride the downgrade error
+msgmsg "test_from_inrelease_to_unsigned"
+test_from_inrelease_to_unsigned_with_override
rm $APTARCHIVE/dists/unstable/Release.gpg
avoid_ims_hit
- testsuccess aptget update -qq --allow-unauthenticated
+ testsuccess aptget update -qq --allow-insecure-repositories
testequal "WARNING: The following packages cannot be authenticated!
old
E: There are problems and -y was used without --force-yes" aptget install -qq -y old
rm -f aptarchive/dists/unstable/*Release*
# remove uncompressed version
find aptarchive/ -name Packages | xargs rm -f
- aptget update -qq --allow-unauthenticated
+ aptget update -qq --allow-insecure-repositories
# become authenticated
generatereleasefiles
aptgetupdate() {
rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin
- aptget update -qq --allow-unauthenticated
+ aptget update -qq --allow-insecure-repositories
}
PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)"
rm -rf rootdir/var/lib/apt
if [ "$1" = 'trusted' ]; then
- testsuccess aptget update
+ testsuccess aptget update
testsuccess aptget download cool
testfileexists 'cool_1.0_i386.deb'
testsuccess aptget download cool --allow-unauthenticated
testfileexists 'cool_1.0_i386.deb'
else
- testsuccess aptget update --allow-unauthenticated
+ testsuccess aptget update --allow-insecure-repositories
testfailure aptget download cool
testfilemissing 'cool_1.0_i386.deb'
changetowebserver --request-absolute='uri'
msgtest 'Check that absolute paths are' 'not accepted'
-testfailure --nomsg aptget update --allow-unauthenticated
+testfailure --nomsg aptget update --allow-insecure-repositories
echo 'Acquire::http::Proxy "http://localhost:8080";' > rootdir/etc/apt/apt.conf.d/99proxy
# check that downgrades from https to http are not allowed
webserverconfig 'aptwebserver::support::http' 'true'
sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/*
-testfailure aptget update --allow-unauthenticated
+testfailure aptget update --allow-insecure-repositories
rm -rf rootdir/var/lib/apt/lists
rm aptarchive/InRelease aptarchive/Release.gpg
msgtest 'unsigned apt-get update gets the expected hashsum mismatch'
- aptget update --allow-unauthenticated >output.log 2>&1 || true
+ aptget update --allow-insecure-repositories >output.log 2>&1 || true
if grep -q "Hash Sum mismatch" output.log; then
msgpass
else
aptgetupdate() {
# just to be sure that no old files are used
rm -rf rootdir/var/lib/apt
- if aptget update --allow-unauthenticated -qq 2>&1 | grep '^E: '; then
+ if aptget update --allow-insecure-repositories -qq 2>&1 | grep '^E: '; then
msgwarn 'apt-get update failed with an error'
fi
}
projects / apt.git / commitdiff
