only warn about missing/invalid Date field for now

The Date field in the Release file is useful to avoid allowing an
attacker to 'downgrade' a user to earlier Release files (and hence to
older states of the archieve with open security bugs). It is also needed
to allow a user to define min/max values for the validation of a Release
file (with or without the Release file providing a Valid-Until field).

APT wasn't formally requiring this field before through and (agrueable
not binding and still incomplete) online documentation declares it
optional (until now), so we downgrade the error to a warning for now to
give repository creators a bit more time to adapt – the bigger ones
should have a Date field for years already, so the effected group should
be small in any case.

It should be noted that earlier apt versions had this as an error
already, but only showed it if a Valid-Until field was present (or the
user tried to used the configuration items for min/max valid-until).

Closes: 809329

3 files changed, 61 insertions, 12 deletions

diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 2521fccd6..97f881269 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -442,9 +442,8 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
    std::string const StrDate = Section.FindS("Date");
    if (RFC1123StrToTime(StrDate.c_str(), Date) == false)
    {
-      if (ErrorText != NULL)
-	 strprintf(*ErrorText, _("Invalid 'Date' entry in Release file %s"), Filename.c_str());
-      return false;
+      _error->Warning( _("Invalid 'Date' entry in Release file %s"), Filename.c_str());
+      Date = 0;
    }
 
    bool CheckValidUntil = _config->FindB("Acquire::Check-Valid-Until", true);
@@ -484,15 +483,18 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
 	    MinAge = _config->FindI(("Acquire::Min-ValidTime::" + Label).c_str(), MinAge);
       }
 
-      if (MinAge != 0 && ValidUntil != 0) {
-	 time_t const min_date = Date + MinAge;
-	 if (ValidUntil < min_date)
-	    ValidUntil = min_date;
-      }
-      if (MaxAge != 0) {
-	 time_t const max_date = Date + MaxAge;
-	 if (ValidUntil == 0 || ValidUntil > max_date)
-	    ValidUntil = max_date;
+      if (MinAge != 0 || ValidUntil != 0 || MaxAge != 0)
+      {
+	 if (MinAge != 0 && ValidUntil != 0) {
+	    time_t const min_date = Date + MinAge;
+	    if (ValidUntil < min_date)
+	       ValidUntil = min_date;
+	 }
+	 if (MaxAge != 0 && Date != 0) {
+	    time_t const max_date = Date + MaxAge;
+	    if (ValidUntil == 0 || ValidUntil > max_date)
+	       ValidUntil = max_date;
+	 }
       }
    }
 
diff --git a/test/integration/framework b/test/integration/framework
index b0be3eaf1..2aed77d5b 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1522,6 +1522,14 @@ msgfailoutput() {
 			msgfailoutputstatfile "$2" "$3"
 		done
 		echo '#### test output ####'
+	elif [ "$1" = 'cmp' ]; then
+		echo >&2
+		while [ -n "$2" ]; do
+			echo "#### Complete file: $2 ####"
+			cat >&2 "$2" || true
+			shift
+		done
+		echo '#### cmp output ####'
 	fi
 	cat >&2 "$OUTPUT"
 	msgfail "$MSG"
diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older
index b6530be08..2d6746b10 100755
--- a/test/integration/test-releasefile-date-older
+++ b/test/integration/test-releasefile-date-older
@@ -60,3 +60,42 @@ redatereleasefiles 'now - 2 days'
 find aptarchive -name 'Release.gpg' -delete
 testsuccess aptget update
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release file has' 'no Date and no Valid-Until field'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testwarning aptget update
+listcurrentlistsdirectory > listsdir.lst
+# have no effect as Date is unknown
+testwarning aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testwarning aptget update -o Acquire::Max-ValidTime=1
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+sed -i '/^Codename: / a\
+Another-Field: yes' $(find aptarchive/ -name 'Release')
+touch -d 'now + 1 day' $(find aptarchive/ -name 'Release')
+signreleasefiles "${2:-Joe Sixpack}"
+testwarning aptget update
+testsuccess cmp $(find aptarchive/ -name 'InRelease')  $(find rootdir/var/lib/apt/ -name '*_InRelease')
+
+msgmsg 'Release file has' 'no Date field, but Valid-Until expired'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now - 2 days'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testfailure aptget update
+listcurrentlistsdirectory > listsdir.lst
+# have no effect as Date is unknown
+testfailure aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testfailure aptget update -o Acquire::Max-ValidTime=1
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release file has' 'no Date field, but Valid-Until is good'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 2 days'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testwarning aptget update