summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog5
-rwxr-xr-xtest/integration/test-inrelease-verification-fail80
2 files changed, 85 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 7ebbb1cb4..3ef652c56 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,11 @@ apt (0.9.7.9) UNRELEASED; urgency=low
Release.gpg in case the new one we download isn't good for us
* apt-pkg/deb/debmetaindex.cc:
- reenable InRelease by default
+
+ [ Michael Vogt ]
+ * add regression test for CVE-2013-1051
+ * implement GPGSplit() based on the idea from Ansgar Burchardt
+ (many thanks!)
-- David Kalnischkies <kalnischkies@gmail.com> Fri, 15 Mar 2013 14:15:43 +0100
diff --git a/test/integration/test-inrelease-verification-fail b/test/integration/test-inrelease-verification-fail
new file mode 100755
index 000000000..5cbf1ab4d
--- /dev/null
+++ b/test/integration/test-inrelease-verification-fail
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+buildsimplenativepackage 'good-pkg' 'all' '1.0' 'stable'
+
+setupaptarchive
+
+# now exchange to the Packages file, note that this could be
+# done via MITM too
+cat > aptarchive/dists/stable/main/binary-i386/Packages <<EOF
+Package: bad-mitm
+Installed-Size: 108
+Architecture: all
+Version: 0.5-3
+Filename: pool/bad-mitm.deb
+Size: 14348
+SHA256: e9b9a3859940c5882b35d56c0097667e552d87b662778c2c451fe6db657b0519
+Description: Evil package
+EOF
+for pair in "gzip:gz" "bzip2:bz2" "lzma:lzma" "xz:xz"; do
+ compressor=$(echo $pair|cut -f1 -d:)
+ extension=$(echo $pair|cut -f2 -d:)
+ $compressor -c aptarchive/dists/stable/main/binary-i386/Packages > aptarchive/dists/stable/main/binary-i386/Packages.$extension
+done
+
+# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
+# to trick apt - this is still legal to gpg(v)
+sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease
+
+# and append our own hashes for the modified Packages files
+cat >> aptarchive/dists/stable/InRelease <<EOF
+Origin: Ansgar
+Codename: evilevil
+Suite: stable
+Date: Sun, 03 Jun 2012 13:26:11 UTC
+Architectures: i386
+Components: main
+SHA512:
+EOF
+for comp in "" ".gz" ".bz2" ".xz" ".lzma"; do
+ # Packages
+ s="$(sha512sum aptarchive/dists/stable/main/binary-i386/Packages$comp | cut -f1 -d' ') $(stat -c %s aptarchive/dists/stable/main/binary-i386/Packages$comp) main/binary-i386/Packages$comp"
+ echo " $s" >> aptarchive/dists/stable/InRelease
+ # Sources
+ s="$(sha512sum aptarchive/dists/stable/main/source/Sources$comp | cut -f1 -d' ') $(stat -c %s aptarchive/dists/stable/main/source/Sources$comp) main/source/Sources$comp"
+ echo " $s" >> aptarchive/dists/stable/InRelease
+done;
+
+# deliver this
+changetowebserver
+
+# ensure the update fails
+# useful for debugging to add "-o Debug::pkgAcquire::auth=true"
+if aptget update -qq; then
+ msgfail "apt-get update should NOT work for MITM"
+ exit 1
+fi
+
+# ensure there is no package
+testequal 'Reading package lists...
+Building dependency tree...
+E: Unable to locate package bad-mitm' aptget install bad-mitm
+
+# and verify that its not picked up
+#testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm
+
+# and that the right one is used
+#testequal 'good-pkg:
+#+ Installed: (none)
+#+ Candidate: 1.0
+#+ Version table:
+#+ 1.0 0
+#+ 500 http://localhost/ stable/main i386 Packages' aptcache policy good-pkg