diff options
Diffstat (limited to 'test/integration/test-cve-2013-1051-InRelease-parsing')
| -rwxr-xr-x | test/integration/test-cve-2013-1051-InRelease-parsing | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing new file mode 100755 index 000000000..bd68fccf6 --- /dev/null +++ b/test/integration/test-cve-2013-1051-InRelease-parsing @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture 'i386' + +insertpackage 'stable' 'good-pkg' 'all' '1.0' + +setupaptarchive + +changetowebserver +ARCHIVE='http://localhost/' +msgtest 'Initial apt-get update should work with' 'InRelease' +aptget update -qq && msgpass || msgfail + +# check that the setup is correct +testequal "good-pkg: + Installed: (none) + Candidate: 1.0 + Version table: + 1.0 0 + 500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg + +# now exchange to the Packages file, note that this could be +# done via MITM too +insertpackage 'stable' 'bad-mitm' 'all' '1.0' + +# this builds compressed files and a new (unsigned) Release +buildaptarchivefromfiles '+1hour' + +# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part +# to trick apt - this is still legal to gpg(v) +sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease + +# we append the (evil unsigned) Release file to the (good signed) InRelease +cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease + + +# ensure the update fails +# useful for debugging to add "-o Debug::pkgAcquire::auth=true" +msgtest 'apt-get update for should fail with the modified' 'InRelease' +aptget update 2>&1 | grep -q 'Hash Sum mismatch' > /dev/null && msgpass || msgfail + +# ensure there is no package +testequal 'Reading package lists... +Building dependency tree... +E: Unable to locate package bad-mitm' aptget install bad-mitm -s + +# and verify that its not picked up +testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0 + +# and that the right one is used +testequal "good-pkg: + Installed: (none) + Candidate: 1.0 + Version table: + 1.0 0 + 500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg |