summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rwxr-xr-xtest/integration/test-apt-update-file34
-rwxr-xr-xtest/integration/test-apt-update-stale46
-rwxr-xr-xtest/integration/test-apt-update-unauth48
-rwxr-xr-xtest/integration/test-hashsum-verification14
4 files changed, 139 insertions, 3 deletions
diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file
new file mode 100755
index 000000000..e267c71da
--- /dev/null
+++ b/test/integration/test-apt-update-file
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# Ensure that we do not modify file:/// uris (regression test for
+# CVE-2014-0487
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "amd64"
+configcompression 'bz2' 'gz'
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+umask 022
+setupaptarchive --no-update
+
+# ensure the archive is not writable
+chmod 550 aptarchive/dists/unstable/main/binary-amd64
+
+testsuccess aptget update -qq
+testsuccess aptget update -qq
+aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log
+
+# ensure that the hash of the uncompressed file was verified even on a local
+# ims hit
+canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')"
+grep -q "RecivedHash: $canary" output.log
+
+
+# the cleanup should still work
+chmod 750 aptarchive/dists/unstable/main/binary-amd64
diff --git a/test/integration/test-apt-update-stale b/test/integration/test-apt-update-stale
new file mode 100755
index 000000000..780ff79af
--- /dev/null
+++ b/test/integration/test-apt-update-stale
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# Ensure that a MITM can not stale the Packages/Sources without
+# raising a error message. Note that the Release file is protected
+# via the "Valid-Until" header
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+setupaptarchive
+changetowebserver
+aptget update -qq
+
+# insert new version
+mkdir aptarchive/dists/unstable/main/binary-i386/saved
+cp -p aptarchive/dists/unstable/main/binary-i386/Packages* \
+ aptarchive/dists/unstable/main/binary-i386/saved
+insertpackage 'unstable' 'foo' 'all' '2.0'
+
+# not using compressfile for compat with older apt releases
+gzip -c aptarchive/dists/unstable/main/binary-i386/Packages > \
+ aptarchive/dists/unstable/main/binary-i386/Packages.gz
+generatereleasefiles
+signreleasefiles
+
+# ensure that we do not get a I-M-S hit for the Release file
+touch -d "+1hour" aptarchive/dists/unstable/*Release*
+
+# but now only deliver the previous Packages file instead of the new one
+# (simulating a stale attack)
+cp -p aptarchive/dists/unstable/main/binary-i386/saved/Packages* \
+ aptarchive/dists/unstable/main/binary-i386/
+
+# ensure this raises a error
+testequal "W: Failed to fetch http://localhost:8080/dists/unstable/main/binary-i386/Packages Hash Sum mismatch
+
+E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+
+
diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth
new file mode 100755
index 000000000..13487603c
--- /dev/null
+++ b/test/integration/test-apt-update-unauth
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Ensure that when going from unauthenticated to authenticated all
+# files are checked again
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+insertsource 'unstable' 'foo' 'all' '1.0'
+
+setupaptarchive
+changetowebserver
+
+runtest() {
+ # start unauthenticated
+ find rootdir/var/lib/apt/lists/ -type f | xargs rm -f
+ rm -f aptarchive/dists/unstable/*Release*
+ aptget update -qq
+
+ # become authenticated
+ generatereleasefiles
+ signreleasefiles
+
+ # and ensure we do download the data again
+ msgtest "Check that the data is check when going to authenticated"
+ if aptget update |grep -q Hit; then
+ msgfail
+ else
+ msgpass
+ fi
+}
+
+for COMPRESSEDINDEXES in 'false' 'true'; do
+ echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes
+ if $COMPRESSEDINDEXES; then
+ msgmsg 'Run tests with GzipIndexes enabled'
+ else
+ msgmsg 'Run tests with GzipIndexes disabled'
+ fi
+
+ runtest
+done
diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification
index e77efb46e..2a400dcb4 100755
--- a/test/integration/test-hashsum-verification
+++ b/test/integration/test-hashsum-verification
@@ -64,7 +64,7 @@ runtest() {
msgtest 'No package from the source available'
[ "$(aptcache show apt 2>&1)" = "E: No packages found" ] && msgpass || msgfail
msgtest 'No Packages file in /var/lib/apt/lists'
- [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail
+ [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null | grep -v FAILED 2>/dev/null)" = "" ] && msgpass || msgfail
# now with the unsigned Release file
rm -rf rootdir/var/lib/apt/lists
@@ -75,5 +75,13 @@ runtest() {
}
-runtest
-
+for COMPRESSEDINDEXES in 'false' 'true'; do
+ echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes
+ if $COMPRESSEDINDEXES; then
+ msgmsg 'Run tests with GzipIndexes enabled'
+ else
+ msgmsg 'Run tests with GzipIndexes disabled'
+ fi
+
+ runtest
+done