summaryrefslogtreecommitdiff
path: root/test/integration/test-cve-2019-3462-Release.gpg-payload
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2019-01-23 20:50:29 +0100
committerDavid Kalnischkies <david@kalnischkies.de>2019-01-23 22:48:16 +0100
commite2965b0b6bdd68ffcad0e06d11755412a7e16e50 (patch)
tree24bac675db43d9e013f2e9481ca4599a350e3f34 /test/integration/test-cve-2019-3462-Release.gpg-payload
parent3734cceb44b02ca4d5ee3c6f5cbfe1e12f17cffb (diff)
Fail on non-signature lines in Release.gpg
The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can contain additional content beside the expected detached signature(s). We were passing the file unchecked to gpgv which ignores these extras without complains, so we reuse the same line-reading implementation we use for InRelease splitting to detect if a Release.gpg file contains unexpected data and fail in this case given that we in the previous commit we established that we fail in the similar InRelease case now.
Diffstat (limited to 'test/integration/test-cve-2019-3462-Release.gpg-payload')
-rwxr-xr-xtest/integration/test-cve-2019-3462-Release.gpg-payload43
1 files changed, 43 insertions, 0 deletions
diff --git a/test/integration/test-cve-2019-3462-Release.gpg-payload b/test/integration/test-cve-2019-3462-Release.gpg-payload
new file mode 100755
index 000000000..fd0f96713
--- /dev/null
+++ b/test/integration/test-cve-2019-3462-Release.gpg-payload
@@ -0,0 +1,43 @@
+#!/bin/sh
+set -e
+
+# This is not covered by the CVE and harmless by itself, but used in
+# the exploit and while harmless it is also pointless to allow it
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture 'amd64'
+
+export APT_DONT_SIGN='InRelease'
+
+insertpackage 'unstable' 'foo' 'all' '1'
+setupaptarchive
+rm -rf rootdir/var/lib/apt/lists
+
+verify() {
+ testfailure apt update
+ testsuccess grep '^ Detached signature file' rootdir/tmp/testfailure.output
+ testfailure apt show foo
+}
+
+msgmsg 'Payload after detached signature'
+find aptarchive -name 'Release.gpg' | while read FILE; do
+ cp -a "$FILE" "${FILE}.bak"
+ echo "evil payload" >> "$FILE"
+done
+verify
+
+msgmsg 'Payload in-between detached signatures'
+find aptarchive -name 'Release.gpg' | while read FILE; do
+ cat "${FILE}.bak" >> "$FILE"
+done
+verify
+
+msgmsg 'Payload before detached signature'
+find aptarchive -name 'Release.gpg' | while read FILE; do
+ echo "evil payload" > "$FILE"
+ cat "${FILE}.bak" >> "$FILE"
+done
+verify