Do not parse Status fields from remote sources

This could allow an attacker to mark a package as installed in a
remote package index, as long as the package was not listed in
the dpkg status file.

This way, an attacker could force the installation of a package
during a dist-upgrade, by providing two packages in an index,
an older marked as installed, and a newer - apt would "upgrade"
to the newer version.

1 files changed, 30 insertions, 0 deletions

diff --git a/test/integration/test-security-no-remote-status b/test/integration/test-security-no-remote-status
new file mode 100755
index 000000000..b7cd0b0d1
--- /dev/null
+++ b/test/integration/test-security-no-remote-status
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# Test that packages from remote sources cannot set the Status field.
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+setupenvironment
+configarchitecture 'amd64'
+
+TMPDIR=$(readlink -f .)
+
+insertpackage 'unstable' 'pretends-installed' 'all' '1' 'Status: install ok installed'
+insertinstalledpackage 'really-installed' 'all' '1'
+setupaptarchive
+
+testequal "pretends-installed:
+  Installed: (none)
+  Candidate: 1
+  Version table:
+     1 0
+        500 file:${TMPDIR}/aptarchive/ unstable/main amd64 Packages" aptcache policy pretends-installed
+
+testequal "really-installed:
+  Installed: 1
+  Candidate: 1
+  Version table:
+ *** 1 0
+        100 ${TMPDIR}/rootdir/var/lib/dpkg/status" aptcache policy really-installed