summaryrefslogtreecommitdiff
path: root/test/integration
AgeCommit message (Collapse)Author
2019-01-25SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
2019-01-14Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)Julian Andres Klode
This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard. (cherry picked from commit bbfcc05c1978decd28df9681fd73e2a7d9a8c2a5) LP: #1811120
2018-10-05Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode
Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full
2018-09-20Deal with descriptions embedded in displayed record correctlyDavid Kalnischkies
The implementation of "apt-cache show" (not "apt show") incorrectly resets the currently used parser if the record itself and the description to show come from the same file (as it is the case if no Translation-* files are available e.g. after debootstrap). The code is more complex than you would hope to support some rather unusual setups involving Descriptions and their translations as tested for by ./test-bug-712435-missing-descriptions as otherwise this could be a one-line change. Regression-Of: bf53f39c9a0221b670ffff74053ed36fc502d5a0 Closes: #909155
2018-09-18Merge branch 'bugfix/statusfd' into 'master'Julian Andres Klode
Process all of --status-fd and don't expect duplicate status msg See merge request apt-team/apt!26
2018-09-15Show all architectures in 'apt list' outputDavid Kalnischkies
The uniqueness in std::set containers is ensured by the ordering operator we provide, but it was not considering that different versions can have the same description like the different architectures for a version of a package. Closes: #908218
2018-09-11Reorder progress report messagesDavid Kalnischkies
We are seeing 'processing' messages from dpkg first, so it makes sense to translate them to "Preparing" messages instead of using "Installing" and co to override these shortly after with the "Preparing" messages. The difference isn't all to visible as later messages tend to linger far longer in the display than the ealier ones, but at least in a listing it seems more logical.
2018-09-11Don't expect duplicated dpkg status-fd messagesDavid Kalnischkies
The progress reporting relies on parsing the status reports of dpkg which used to repeat being in the same state multiple times in the same run, but by fixing #365921 it will stop doing so. The problem is in theory just with 'config-files' in case we do purge as this (can) do remove + purge in one step, but we remove this also for the unpack + configure combination althrough we handle these currently in two independent dpkg calls.
2018-09-11Unset more environment variables in test frameworkDavid Kalnischkies
It is an uphill battle to "reset" the environment to a clean state without making it needlessly hard to use 'good' environment variables, so we just try a little harder here without really trying for completeness. Gbp-Dch: Ignore
2018-09-10Don't use gpg directly in apt-key testDavid Kalnischkies
Reported-By: Guillem Jover <guillem@debian.org> Gbp-Dch: Ignore
2018-08-29Fix typos reported by codespell & spellintianDavid Kalnischkies
No user-visible change as it effects mostly code comments and not a single error message, manpage or similar. Reported-By: codespell & spellintian Gbp-Dch: Ignore
2018-08-29Don't use invalid iterator in Fallback-Of handlingDavid Kalnischkies
cppcheck reports: (error) Iterator 't' used after element has been erased. The loop is actually fashioned to deal with this (not in the most efficient way, but in simplest and speed isn't really a concern here) IF this codepath had a "break" at the end… so I added one. Note that the tests aren't failing before (and hopefully after) the change as the undefined behavior we encounter is too stable. Thanks: David Binderman for reporting
2018-08-20clear alternative URIs for mirror:// between steps (CVE-2018-0501)David Kalnischkies
APT in 1.6 saw me rewriting the mirror:// transport method, which works comparable to the decommissioned httpredir.d.o "just" that apt requests a mirror list and performs all the redirections internally with all the bells like parallel download and automatic fallback (more details in the apt-transport-mirror manpage included in the 1.6 release). The automatic fallback is the problem here: The intend is that if a file fails to be downloaded (e.g. because the mirror is offline, broken, out-of-sync, …) instead of erroring out the next mirror in the list is contacted for a retry of the download. Internally the acquire process of an InRelease file (works with the Release/Release.gpg pair, too) happens in steps: 1) download file and 2) verify file, both handled as URL requests passed around. Due to an oversight the fallbacks for the first step are still active for the second step, so that the successful download from another mirror stands in for the failed verification… *facepalm* Note that the attacker can not judge by the request arriving for the InRelease file if the user is using the mirror method or not. If entire traffic is observed Eve might be able to observe the request for a mirror list, but that might or might not be telling if following requests for InRelease files will be based on that list or for another sources.list entry not using mirror (Users have also the option to have the mirror list locally (via e.g. mirror+file://) instead of on a remote host). If the user isn't using mirror:// for this InRelease file apt will fail very visibly as intended. (The mirror list needs to include at least two mirrors and to work reliably the attacker needs to be able to MITM all mirrors in the list. For remotely accessed mirror lists this is no limitation as the attacker is in full control of the file in that case) Fixed by clearing the alternatives after a step completes (and moving a pimpl class further to the top to make that valid compilable code). mirror:// is at the moment the only method using this code infrastructure (for all others this set is already empty) and the only method-independent user so far is the download of deb files, but those are downloaded and verified in a single step; so there shouldn't be much opportunity for regression here even through a central code area is changed. Upgrade instructions: Given all apt-based frontends are affected, even additional restrictions like signed-by are bypassed and the attack in progress is hardly visible in the progress reporting of an update operation (the InRelease file is marked "Ign", but no fallback to "Release/Release.gpg" is happening) and leaves no trace (expect files downloaded from the attackers repository of course) the best course of action might be to change the sources.list to not use the mirror family of transports ({tor+,…}mirror{,+{http{,s},file,…}}) until a fixed version of the src:apt packages are installed. Regression-Of: 355e1aceac1dd05c4c7daf3420b09bd860fd169d, 57fa854e4cdb060e87ca265abd5a83364f9fa681 LP: #1787752
2018-08-19Report (soon) worthless keys if gpg uses fpr for GOODSIGDavid Kalnischkies
gpgs DETAILS documentation file declares that GOODSIG could report keyid or fingerprint since gpg2, but for the time being it is still keyid only. Who knows if that will ever change as that feels like an interface break with dangerous security implications, but lets be better safe than sorry especially as the code dealing with signed-by keyids is prepared for this already. This code is rewritten still to have them all use the same code for this type of problem.
2018-08-19test: Supports records larger than 32kb in 'apt show'David Kalnischkies
The 1.7 series rework of show started in bf53f39c9a0221b670ffff74053ed36fc502d5a0 resolved the issue already, but its always a good idea to at least bring the tests along so that we hopeful do not regress in the future with another rewrite. Tests: #905527 Gbp-Dch: Ignore
2018-06-27Handle JSON hooks that just close the file/exit and fix some other errorsJulian Andres Klode
JSON hooks might disappear and the common idiom to work around hooks disappearing is to check for the hook in the shell snippet that is in the apt.conf file and if it does not exist, do nothing. This caused APT to fail however, expecting it to acknowledge the handshake. Ignoring ECONNRESET on handshakes solves the problem. The error case, and the other error cases also did not stop execution of the hook, causing more errors to pile up. Fix this by directly going to the closing part of the code. LP: #1776218
2018-05-28Don't show acquire warning for "hidden" componentsDavid Kalnischkies
Commit d7c92411dc1f4c6be098d1425f9c1c075e0c2154 introduced a warning for non-existent files from components not mentioned in Components to hint users at a mispelling or the disappearance of a component. The debian-installer subcomponent isn't actively advertised in the Release file through, so if apt ends up in acquiring a file which doesn't exist for this component (like Translation files) apt would produce a warning: W: Skipping acquire of configured file 'main/debian-installer/i18n/Translation-en' as repository 'http://deb.debian.org/debian buster InRelease' doesn't have the component 'main/debian-installer' (component misspelt in sources.list?) We prevent this in the future by checking if any file exists from this component which results in the warning to be produced still for the intended cases and silence it on the d-i case. This could potentially cause the warning not to be produced in cases it should be if some marginal file remains, but as this message is just a hint and the setup a bit pathological lets ignore it for now. There is also the possibility of having no file present as they would all be 0-length files and being a "hidden" component, but that would be easy to workaround from the repository side and isn't really actively used at the moment in the wild. Closes: #879591
2018-05-28tests: Prevent stunnel4 from binding on IPv6David Kalnischkies
Hardcoding the IPv4 address 127.0.0.1 stops stunnel4 from also binding on IPv6 as well which not only binds on another port but confuses our crude port extraction by splitting on ':' with ::1. Gbp-Dch: Ignore
2018-05-24Merge branch 'feature/morevolatilesupport' into 'master'Julian Andres Klode
more volatile: build-dep foo.deb/release & show foo.deb See merge request apt-team/apt!14
2018-05-24Merge branch 'feature/byhashviaalturl' into 'master'Julian Andres Klode
Don't force the same mirror for by-hash URIs See merge request apt-team/apt!15
2018-05-21Extend test-apt-get-autoremove to check debug outputFilipe Brandenburger
Run `apt-get autoremove -o Debug::pkgAutoRemove=yes` and confirm the logged reason for packages to be kept is correct. Only check for specific debug lines containing 'MarkPackage:' in order to prevent new debug logging to break the test case.
2018-05-19Fix hidden test failure if not called via sudoDavid Kalnischkies
id: '': no such user ./test-bug-611729-mark-as-manual: 59: [: Illegal number: Regression-of: 68842e1741a5005b1e3f0a07deffd737c65e3294 Gbp-Dch: Ignore
2018-05-16tests: Do not expect requested-by if sudo was invoked by rootJulian Andres Klode
If sudo was invoked by root, SUDO_UID will be 0, and apt will not print a Requested-By line.
2018-05-11Handle by-hash URI construction more centrallyDavid Kalnischkies
Individual items shouldn't concern themselves with these alternative locations, we can deal with this more efficiently within the infrastructure created for other alternative URIs now avoiding the need to implement this in each item.
2018-05-11Drop alternative URIs we got a hash-based fail fromDavid Kalnischkies
If we got a file but it produced a hash error, mismatched size or similar we shouldn't fallback to alternative URIs as they likely result in the same error. If we can we should instead use another mirror. We used to be a lot stricter by stopping all trys for this file if we got a non-404 (or a hash-based) failure, but that is too hard as we really want to try other mirrors (if we have them) in the hope that they have the expected and correct files.
2018-05-11Support local files as arguments in show commandDavid Kalnischkies
Now that --with-source is supported in show we can go a little further and add the "syntactic sugar" of supporting deb-files on the commandline directly to give users an alternative to remembering dpkg -I for deb files & as a bonus apt also works on changes files. Most of the code churn is actually to deal with cases probably not too common in reality like mixing packages and deb-files on the commandline and getting the right order for these multiple records. Closes: 883206
2018-05-11Support --with-source in show & search commandsDavid Kalnischkies
2018-05-11Support release selector for volatile files as wellDavid Kalnischkies
The syntax is a bit awkward, but it is the same as for a package name and introducing another syntax wouldn't really help usability, so with apt install ./foo.deb/experimental you will get the dependencies of foo satisfied by your default release, but if this wouldn't satisfy the version requirements the candidate for this dependency is switched to the version from the experimental release. The same applies for apt build-dep ./foo.dsc/stable-backports which was the initial request.
2018-05-11Extend apt build-dep pkg/release to switch dep as neededDavid Kalnischkies
apt install pkg/release follows versioned dependencies in the candidate switching if the current candidate does not satisfy the dependency, so for uniformity the same should be supported in build-dep.
2018-05-05Fix various typos reported by spellcheckersDavid Kalnischkies
Reported-By: codespell & spellintian Gbp-Dch: Ignore
2018-04-15Merge branch 'pu/heavy-hooks' into 'master'Julian Andres Klode
json-based hooks for apt cli tools See merge request apt-team/apt!10
2018-04-15Introduce experimental new hooks for command-line toolsJulian Andres Klode
This allows third-party package managers like snap or flatpak to hook in and suggest alternatives if packages could not be found, for example. This is still highly experimental and the protocol might change in future versions.
2018-04-15Merge branch 'pu/zstd' into 'master'Julian Andres Klode
pu/zstd See merge request apt-team/apt!8
2018-04-06test: export GCOV_ERROR_FILE=/dev/null to make it fail less/no testsJulian Andres Klode
2018-03-15Use https for Ubuntu changelogsJulian Andres Klode
We just enabled https on changelogs.ubuntu.com, let's use it.
2018-03-12apt-pkg: Add support for zstdJulian Andres Klode
zstd is a compression algorithm developed by facebook. At level 19, it is about 6% worse in size than xz -6, but decompression is multiple times faster, saving about 40% install time, especially with eatmydata on cloud instances.
2018-02-19Merge branch 'pu/not-valid-before' into 'master'Julian Andres Klode
Check that Date of Release file is not in the future See merge request apt-team/apt!3
2018-02-19Check that Date of Release file is not in the futureJulian Andres Klode
By restricting the Date field to be in the past, an attacker cannot just create a repository from the future that would be accepted as a valid update for a repository. This check can be disabled by Acquire::Check-Date set to false. This will also disable Check-Valid-Until and any future date related checking, if any - the option means: "my computers date cannot be trusted." Modify the tests to allow repositories to be up to 10 hours in the future, so we can keep using hours there to simulate time changes.
2018-02-19ensure correct file permissions for auxfilesDavid Kalnischkies
The interesting takeaway here is perhaps that 'chmod +w' is effected by the umask – obvious in hindsight of course. The usual setup helps with hiding that applying that recursively on all directories (and files) isn't correct. Ensuring files will not be stored with the wrong permissions even if in strange umask contexts is trivial in comparison. Fixing the test also highlighted that it wasn't bulletproof as apt will automatically fix the permissions of the directories it works with, so for this test we actually need to introduce a shortcut in the code. Reported-By: Ubuntu autopkgtest CI
2018-02-19tests: set debhelper compat 10 and R³ by defaultDavid Kalnischkies
The testpackages hardly need debhelper at all, so any version would do, and they build without root rights by definition, but declaring it explicitly can't hurt and in the case of debhelper it would be sad if our testcases break one day because the old compat level is removed. Gbp-Dch: Ignore
2018-02-19add apt-helper drop-privs command…David Kalnischkies
2018-02-19Work around test-method-mirror failure by setting umask at startJulian Andres Klode
This fixes a test failure on autopkgtest.
2018-01-19allow the apt/lists/auxfiles/ directory to be missingDavid Kalnischkies
apt 1.6~alpha6 introduced aux requests to revamp the implementation of a-t-mirror. This already included the potential of running as non-root, but the detection wasn't complete resulting in errors or could produce spurious warnings along the way if the directory didn't exist yet. References: ef9677831f62a1554a888ebc7b162517d7881116 Closes: 887624
2018-01-17Introduce inrelease-path option for sources.listJulian Andres Klode
Allow specifying an alternative path to the InRelease file, so you can have multiple versions of a repository, for example. Enabling this option disables fallback to Release and Release.gpg, so setting it to InRelease can be used to ensure that only that will be tried. We add two test cases: One for checking that it works, and another for checking that the fallback does not happen. Closes: #886745
2018-01-03add a testcase for the mirror methodDavid Kalnischkies
Gbp-Dch: Ignore
2018-01-03allow a method to request auxiliary filesDavid Kalnischkies
If a method needs a file to operate like e.g. mirror needs to get a list of mirrors before it can redirect the the actual requests to them. That could easily be solved by moving the logic into libapt directly, but by allowing a method to request other methods to do something we can keep this logic contained in the method and allow e.g. also methods which perform binary patching or similar things. Previously they would need to implement their own acquire system inside the existing one which in all likelyhood will not support the same features and methods nor operate with similar security compared to what we have already running 'above' the requesting method. That said, to avoid methods producing conflicts with "proper" files we are downloading a new directory is introduced to keep the auxiliary files in. [The message magic number 351 is a tribute to the german Grundgesetz article 35 paragraph 1 which defines that all authorities of the state(s) help each other on request.]
2018-01-03refactor message generation for methodsDavid Kalnischkies
The format isn't too hard to get right, but it gets funny with multiline fields (which we don't really have yet) and its just easier to deal with it once and for all which can be reused for more messages later.
2017-12-24do not remap current files if nullptrs in cache generationDavid Kalnischkies
If the cache needs to grow to make room to insert volatile files like deb files into the cache we were remapping null-pointers making them non-null-pointers in the process causing trouble later on. Only the current Releasefile pointer can currently legally be a nullpointer as volatile files have no release file they belong to, but for safety the pointer to the current Packages file is equally guarded. The option APT::Cache-Start can be used to workaround this problem. Reported-By: Mattia Rizzolo on IRC
2017-12-14relax test to accept various connection failuresDavid Kalnischkies
For the failure propagation testing we try to connect to a port which isn't open – you would think that this has a rather limited set of failure modes but it turns out that there are various ways this can fail, so instead of trying to guess all error message we just accept any. Reported-By: travis-ci Gbp-Dch: Ignore
2017-12-13implement fallback to alternative URIs for all itemsDavid Kalnischkies
For deb files we always supported falling back from one server to the other if one failed to download the deb, but that was hardwired in the handling of this specific item. Moving this alongside the retry infrastructure we can implement it for all items and allow methods to use this as well by providing additional URIs in a redirect.