5 files changed, 155 insertions, 18 deletions

diff --git a/test/integration/test-apt-extracttemplates b/test/integration/test-apt-extracttemplates
index 9b07ef79f..a47257cfd 100755
--- a/test/integration/test-apt-extracttemplates
+++ b/test/integration/test-apt-extracttemplates
@@ -44,6 +44,13 @@ Description: Some bar var
 	testfileequal "$TEMPLATE" "$TEMPLATE_STR"
 	CONFIG=$(cut -f4 -d' ' $OUT)
 	testfileequal "$CONFIG" "$CONFIG_STR"
+	msgtest 'No extra files or directories in extraction directory'
+	if [ "$(find ./extracttemplates-out | wc -l)" = '3' ]; then
+		msgpass
+	else
+		msgfail
+		ls -l ./extracttemplates-out
+	fi
 
 	# ensure that the format of the output string has the right number of dots
 	for s in "$CONFIG" "$TEMPLATE"; do
diff --git a/test/integration/test-apt-sources-deb822 b/test/integration/test-apt-sources-deb822
index fdf26fe97..8ffe0abe6 100755
--- a/test/integration/test-apt-sources-deb822
+++ b/test/integration/test-apt-sources-deb822
@@ -14,6 +14,8 @@ BASE='# some comment
 # that contains a : as well
 #Types: meep
 
+# a free-standing comment appears
+
 Types: deb
 #Types: deb-src
 URIs: http://ftp.debian.org/debian
@@ -291,3 +293,69 @@ testsuccessequal --nomsg "'http://ftp.debian.org/debian/dists/stable/InRelease'
 'http://ftp.debian.org/debian2/dists/sid/non-free/binary-powerpc/Packages.xz' ftp.debian.org_debian2_dists_sid_non-free_binary-powerpc_Packages 0 
 'http://ftp.debian.org/debian2/dists/sid/non-free/binary-all/Packages.xz' ftp.debian.org_debian2_dists_sid_non-free_binary-all_Packages 0 
 'http://ftp.debian.org/debian2/dists/sid/non-free/i18n/Translation-en.xz' ftp.debian.org_debian2_dists_sid_non-free_i18n_Translation-en 0 " aptget update --print-uris
+
+EXPECTEDUK="'http://ftp.uk.debian.org/debian/dists/stretch/InRelease' ftp.uk.debian.org_debian_dists_stretch_InRelease 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/main/source/Sources.xz' ftp.uk.debian.org_debian_dists_stretch_main_source_Sources 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/contrib/source/Sources.xz' ftp.uk.debian.org_debian_dists_stretch_contrib_source_Sources 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/non-free/source/Sources.xz' ftp.uk.debian.org_debian_dists_stretch_non-free_source_Sources 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/main/binary-i386/Packages.xz' ftp.uk.debian.org_debian_dists_stretch_main_binary-i386_Packages 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/main/binary-all/Packages.xz' ftp.uk.debian.org_debian_dists_stretch_main_binary-all_Packages 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/main/i18n/Translation-en.xz' ftp.uk.debian.org_debian_dists_stretch_main_i18n_Translation-en 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/contrib/binary-i386/Packages.xz' ftp.uk.debian.org_debian_dists_stretch_contrib_binary-i386_Packages 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/contrib/binary-all/Packages.xz' ftp.uk.debian.org_debian_dists_stretch_contrib_binary-all_Packages 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/contrib/i18n/Translation-en.xz' ftp.uk.debian.org_debian_dists_stretch_contrib_i18n_Translation-en 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/non-free/binary-i386/Packages.xz' ftp.uk.debian.org_debian_dists_stretch_non-free_binary-i386_Packages 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/non-free/binary-all/Packages.xz' ftp.uk.debian.org_debian_dists_stretch_non-free_binary-all_Packages 0 
+'http://ftp.uk.debian.org/debian/dists/stretch/non-free/i18n/Translation-en.xz' ftp.uk.debian.org_debian_dists_stretch_non-free_i18n_Translation-en 0 "
+
+msgcleantest 'Test deb822 sources.list file comments' 'top'
+cat > $SOURCES <<EOF
+#NOTE: Most preferred source listed first!
+
+
+#=== NEW MULTI-LINE FORMAT ===============
+Types:          deb deb-src
+URIs:http://ftp.uk.debian.org/debian/
+Suites:         stretch
+Components:     main contrib non-free
+EOF
+testsuccessequal --nomsg "$EXPECTEDUK" aptget update --print-uris
+
+msgcleantest 'Test deb822 sources.list file comments' 'bottom'
+cat > $SOURCES <<EOF
+Types:          deb deb-src
+URIs:http://ftp.uk.debian.org/debian/
+Suites:         stretch
+Components:     main contrib non-free
+#=== NEW MULTI-LINE FORMAT ===============
+
+
+#NOTE: Most preferred source listed first!
+EOF
+testsuccessequal --nomsg "$EXPECTEDUK" aptget update --print-uris
+
+msgcleantest 'Test deb822 sources.list file comments' 'both'
+cat > $SOURCES <<EOF
+#=== NEW MULTI-LINE FORMAT ===============
+
+
+#NOTE: Most preferred source listed first!
+Types:          deb deb-src
+URIs:http://ftp.uk.debian.org/debian/
+Suites:         stretch
+Components:     main contrib non-free
+#=== NEW MULTI-LINE FORMAT ===============
+
+
+#NOTE: Most preferred source listed first!
+EOF
+testsuccessequal --nomsg "$EXPECTEDUK" aptget update --print-uris
+
+
+msgcleantest 'Test deb822 sources.list file comments' 'empty'
+cat > $SOURCES <<EOF
+#=== NEW MULTI-LINE FORMAT ===============
+
+
+EOF
+testempty aptget update --print-uris
diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing
index 6238057c3..1f0cbda04 100755
--- a/test/integration/test-cve-2013-1051-InRelease-parsing
+++ b/test/integration/test-cve-2013-1051-InRelease-parsing
@@ -46,9 +46,12 @@ touch -d '+1hour' aptarchive/dists/stable/InRelease
 listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst
 msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
 testwarningequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
+Err:1 http://localhost:${APTHTTPPORT} stable InRelease
+  Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
 Reading package lists...
-W: Clearsigned file '${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease' contains unsigned lines.
-W: Clearsigned file '${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/localhost:${APTHTTPPORT}_dists_stable_InRelease' contains unsigned lines." --nomsg aptget update
+W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://localhost:${APTHTTPPORT} stable InRelease: Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
+W: Failed to fetch http://localhost:${APTHTTPPORT}/dists/stable/InRelease  Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
+W: Some index files failed to download. They have been ignored, or old ones used instead." --nomsg aptget update
 testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')"
 
 # ensure there is no package
diff --git a/test/integration/test-cve-2019-3462-Release.gpg-payload b/test/integration/test-cve-2019-3462-Release.gpg-payload
new file mode 100755
index 000000000..fd0f96713
--- /dev/null
+++ b/test/integration/test-cve-2019-3462-Release.gpg-payload
@@ -0,0 +1,43 @@
+#!/bin/sh
+set -e
+
+# This is not covered by the CVE and harmless by itself, but used in
+# the exploit and while harmless it is also pointless to allow it
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture 'amd64'
+
+export APT_DONT_SIGN='InRelease'
+
+insertpackage 'unstable' 'foo' 'all' '1'
+setupaptarchive
+rm -rf rootdir/var/lib/apt/lists
+
+verify() {
+	testfailure apt update
+	testsuccess grep '^  Detached signature file' rootdir/tmp/testfailure.output
+	testfailure apt show foo
+}
+
+msgmsg 'Payload after detached signature'
+find aptarchive -name 'Release.gpg' | while read FILE; do
+	cp -a "$FILE" "${FILE}.bak"
+	echo "evil payload" >> "$FILE"
+done
+verify
+
+msgmsg 'Payload in-between detached signatures'
+find aptarchive -name 'Release.gpg' | while read FILE; do
+	cat "${FILE}.bak" >> "$FILE"
+done
+verify
+
+msgmsg 'Payload before detached signature'
+find aptarchive -name 'Release.gpg' | while read FILE; do
+	echo "evil payload" > "$FILE"
+	cat "${FILE}.bak" >> "$FILE"
+done
+verify
diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv
index 70521881d..bfa5af4c2 100755
--- a/test/integration/test-method-gpgv
+++ b/test/integration/test-method-gpgv
@@ -71,44 +71,60 @@ testrun() {
 [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9'
 }
 
+echo 'Test' > message.data
+cat >message.sig <<EOF
+-----BEGIN PGP SIGNATURE-----
+
+iQFEBAEBCgAuFiEENKjp0Y2zIPNn6OqgWpDRQdusja4FAlhT7+kQHGpvZUBleGFt
+cGxlLm9yZwAKCRBakNFB26yNrjvEB/9/e3jA1l0fvPafx9LEXcH8CLpUFQK7ra9l
+3M4YAH4JKQlTG1be7ixruBRlCTh3YiSs66fKMeJeUYoxA2HPhvbGFEjQFAxunEYg
+X/LBKv1mQWa+Q34P5GBjK8kQdLCN+yJAiUErmWNQG3GPninrxsC9tY5jcWvHeP1k
+V7N3MLnNqzXaCJM24mnKidC5IDadUdQ8qC8c3rjUexQ8vBz0eucH56jbqV5oOcvx
+pjlW965dCPIf3OI8q6J7bIOjyY+u/PTcVlqPq3TUz/ti6RkVbKpLH0D4ll3lUTns
+JQt/+gJCPxHUJphy8sccBKhW29CLELJIIafvU30E1nWn9szh2Xjq
+=TB1F
+-----END PGP SIGNATURE-----
+EOF
+
+
 gpgvmethod() {
-	echo '601 Configuration
+	echo "601 Configuration
 Config-Item: Debug::Acquire::gpgv=1
 Config-Item: Dir::Bin::apt-key=./faked-apt-key
 Config-Item: APT::Hashes::SHA1::Weak=true
 
 600 URI Acquire
-URI: file:///dev/null
-Filename: /dev/zero
-' | runapt "${METHODSDIR}/gpgv"
+URI: file://${TMPWORKINGDIRECTORY}/message.sig
+Filename: ${TMPWORKINGDIRECTORY}/message.data
+" | runapt "${METHODSDIR}/gpgv"
 }
 testrun
 
 gpgvmethod() {
-	echo '601 Configuration
+	echo "601 Configuration
 Config-Item: Debug::Acquire::gpgv=1
 Config-Item: Dir::Bin::apt-key=./faked-apt-key
 Config-Item: APT::Hashes::SHA1::Weak=true
 
 600 URI Acquire
-URI: file:///dev/null
-Filename: /dev/zero
+URI: file://${TMPWORKINGDIRECTORY}/message.sig
+Filename: ${TMPWORKINGDIRECTORY}/message.data
 Signed-By: /dev/null,34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
-' | runapt "${METHODSDIR}/gpgv"
+" | runapt "${METHODSDIR}/gpgv"
 }
 testrun
 
 gpgvmethod() {
-	echo '601 Configuration
+	echo "601 Configuration
 Config-Item: Debug::Acquire::gpgv=1
 Config-Item: Dir::Bin::apt-key=./faked-apt-key
 Config-Item: APT::Hashes::SHA1::Weak=true
 
 600 URI Acquire
-URI: file:///dev/null
-Filename: /dev/zero
+URI: file://${TMPWORKINGDIRECTORY}/message.sig
+Filename: ${TMPWORKINGDIRECTORY}/message.data
 Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,/dev/null
-' | runapt "${METHODSDIR}/gpgv"
+" | runapt "${METHODSDIR}/gpgv"
 }
 testrun
 
@@ -122,16 +138,16 @@ testsuccess grep '^\s\+Good:\s\+$' method.output
 testsuccess grep 'verified because the public key is not available: GOODSIG' method.output
 
 gpgvmethod() {
-	echo '601 Configuration
+	echo "601 Configuration
 Config-Item: Debug::Acquire::gpgv=1
 Config-Item: Dir::Bin::apt-key=./faked-apt-key
 Config-Item: APT::Hashes::SHA1::Weak=true
 
 600 URI Acquire
-URI: file:///dev/null
-Filename: /dev/zero
+URI: file://${TMPWORKINGDIRECTORY}/message.sig
+Filename: ${TMPWORKINGDIRECTORY}/message.data
 Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!
-' | runapt "${METHODSDIR}/gpgv"
+" | runapt "${METHODSDIR}/gpgv"
 }
 testgpgv 'Exact matched subkey signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Sebastian Subkey <subkey@example.org>
 [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E'