diff options
author | Michael Vogt <michael.vogt@ubuntu.com> | 2013-03-14 14:28:58 +0100 |
---|---|---|
committer | Michael Vogt <michael.vogt@ubuntu.com> | 2013-03-14 14:28:58 +0100 |
commit | ca18208fbda302b767c10bb567f90d7c6127db44 (patch) | |
tree | cda97d475aa06997e79543848de3608d8b7f4908 /test | |
parent | b748b3b36b9db249cf273698b9e4b7eaf9c1c41f (diff) |
* SECURITY UPDATE: InRelease verification bypass
- CVE-2013-1051
* apt-pkg/deb/debmetaindex.cc,
test/integration/test-bug-595691-empty-and-broken-archive-files,
test/integration/test-releasefile-verification:
- disable InRelease downloading until the verification issue is
fixed, thanks to Ansgar Burchardt for finding the flaw
Diffstat (limited to 'test')
-rwxr-xr-x | test/integration/test-bug-595691-empty-and-broken-archive-files | 30 | ||||
-rwxr-xr-x | test/integration/test-bug-602412-dequote-redirect | 3 | ||||
-rwxr-xr-x | test/integration/test-releasefile-verification | 4 |
3 files changed, 15 insertions, 22 deletions
diff --git a/test/integration/test-bug-595691-empty-and-broken-archive-files b/test/integration/test-bug-595691-empty-and-broken-archive-files index 63883b380..4611b8b8e 100755 --- a/test/integration/test-bug-595691-empty-and-broken-archive-files +++ b/test/integration/test-bug-595691-empty-and-broken-archive-files @@ -13,7 +13,7 @@ setupflataptarchive testaptgetupdate() { rm -rf rootdir/var/lib/apt aptget update 2>> testaptgetupdate.diff >> testaptgetupdate.diff || true - sed -i -e '/^Fetched / d' -e '/Ign / d' -e 's#\[[0-9]* [kMGTPY]*B\]#\[\]#' testaptgetupdate.diff + sed -i -e '/^Fetched / d' -e '/Ign / d' -e '/Release/ d' -e 's#Get:[0-9]\+ #Get: #' -e 's#\[[0-9]* [kMGTPY]*B\]#\[\]#' testaptgetupdate.diff GIVEN="$1" shift msgtest "Test for correctness of" "apt-get update with $*" @@ -81,22 +81,18 @@ testoverfile() { setupcompressor "$1" createemptyfile 'en' - testaptgetupdate "Get:1 file: InRelease [] -Reading package lists..." "empty file en.$COMPRESS over file" + testaptgetupdate 'Reading package lists...' "empty file en.$COMPRESS over file" createemptyarchive 'en' - testaptgetupdate "Get:1 file: InRelease [] -Reading package lists..." "empty archive en.$COMPRESS over file" + testaptgetupdate 'Reading package lists...' "empty archive en.$COMPRESS over file" createemptyarchive 'Packages' # FIXME: Why omits the file transport the Packages Get line? #Get:3 file: Packages [] - testaptgetupdate "Get:1 file: InRelease [] -Reading package lists..." "empty archive Packages.$COMPRESS over file" + testaptgetupdate 'Reading package lists...' "empty archive Packages.$COMPRESS over file" createemptyfile 'Packages' - testaptgetupdate "Get:1 file: InRelease [] -Err file: Packages + testaptgetupdate "Err file: Packages Empty files can't be valid archives W: Failed to fetch ${COMPRESSOR}:$(readlink -f aptarchive/Packages.$COMPRESS) Empty files can't be valid archives @@ -107,26 +103,22 @@ testoverhttp() { setupcompressor "$1" createemptyfile 'en' - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages [] -Get:3 http://localhost Translation-en + testaptgetupdate "Get: http://localhost Packages [] +Get: http://localhost Translation-en Reading package lists..." "empty file en.$COMPRESS over http" createemptyarchive 'en' - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages [] -Get:3 http://localhost Translation-en [] + testaptgetupdate "Get: http://localhost Packages [] +Get: http://localhost Translation-en [] Reading package lists..." "empty archive en.$COMPRESS over http" createemptyarchive 'Packages' - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages [] + testaptgetupdate "Get: http://localhost Packages [] Reading package lists..." "empty archive Packages.$COMPRESS over http" createemptyfile 'Packages' #FIXME: we should response with a good error message instead - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages + testaptgetupdate "Get: http://localhost Packages Err http://localhost Packages Empty files can't be valid archives W: Failed to fetch ${COMPRESSOR}:$(readlink -f rootdir/var/lib/apt/lists/partial/localhost:8080_Packages) Empty files can't be valid archives diff --git a/test/integration/test-bug-602412-dequote-redirect b/test/integration/test-bug-602412-dequote-redirect index f1e67c6d8..43ecda867 100755 --- a/test/integration/test-bug-602412-dequote-redirect +++ b/test/integration/test-bug-602412-dequote-redirect @@ -19,7 +19,8 @@ msgtest 'Test redirection works in' 'apt-get update' aptget update -qq && msgpass || msgfail # check that I-M-S header is kept in redirections -testequal 'Hit http://localhost unstable InRelease +testequal 'Hit http://localhost unstable Release.gpg +Hit http://localhost unstable Release Hit http://localhost unstable/main Sources Hit http://localhost unstable/main amd64 Packages Hit http://localhost unstable/main Translation-en diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index d3ea91de5..01fb2e529 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -184,5 +184,5 @@ runtest2 DELETEFILE="InRelease" runtest -DELETEFILE="Release.gpg" -runtest +#DELETEFILE="Release.gpg" +#runtest |