From ae286f57156e344713ec3a50cb8f358953577ca7 Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@ubuntu.com>
Date: Wed, 18 Jun 2014 10:57:28 +0200
Subject: merge upload 1.0.1ubuntu2.1

---
 apt-private/private-download.cc                    |  5 ++++
 apt-private/private-download.h                     |  6 +++++
 cmdline/apt-get.cc                                 |  9 ++++++-
 debian/changelog                                   | 14 ++++++++--
 test/integration/test-apt-get-source-authenticated | 31 ++++++++++++++++++++++
 5 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 test/integration/test-apt-get-source-authenticated

diff --git a/apt-private/private-download.cc b/apt-private/private-download.cc
index a095f0c67..be7d23c31 100644
--- a/apt-private/private-download.cc
+++ b/apt-private/private-download.cc
@@ -28,6 +28,11 @@ bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser)
    if (UntrustedList == "")
       return true;
 
+   return AuthPrompt(UntrustedList, PromptUser);
+}
+
+bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
+{
    ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
 
    if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
diff --git a/apt-private/private-download.h b/apt-private/private-download.h
index a108aa531..a90ac7eaa 100644
--- a/apt-private/private-download.h
+++ b/apt-private/private-download.h
@@ -5,7 +5,13 @@
 
 class pkgAcquire;
 
+// Check if all files in the fetcher are authenticated
 APT_PUBLIC bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser);
+
+// show a authentication warning prompt and return true if the system
+// should continue
+APT_PUBLIC bool AuthPrompt(std::string UntrustedList, bool const PromptUser);
+
 APT_PUBLIC bool AcquireRun(pkgAcquire &Fetcher, int const PulseInterval, bool * const Failure, bool * const TransientNetworkFailure);
 
 #endif
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index e7fd4bfb8..7a77ace74 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -76,7 +76,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/statfs.h>
 #include <sys/statvfs.h>
@@ -756,6 +755,7 @@ static bool DoSource(CommandLine &CmdL)
 
    // Load the requestd sources into the fetcher
    unsigned J = 0;
+   std::string UntrustedList;
    for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
    {
       string Src;
@@ -764,6 +764,9 @@ static bool DoSource(CommandLine &CmdL)
       if (Last == 0) {
 	 return _error->Error(_("Unable to find a source package for %s"),Src.c_str());
       }
+
+      if (Last->Index().IsTrusted() == false)
+         UntrustedList += Src + " ";
       
       string srec = Last->AsStr();
       string::size_type pos = srec.find("\nVcs-");
@@ -847,6 +850,10 @@ static bool DoSource(CommandLine &CmdL)
 			Last->Index().SourceInfo(*Last,*I),Src);
       }
    }
+
+   // check authentication status of the source as well
+   if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
+      return false;
    
    // Display statistics
    unsigned long long FetchBytes = Fetcher.FetchNeeded();
diff --git a/debian/changelog b/debian/changelog
index 5bf131080..419e4ba77 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-apt (1.0.1ubuntu2.1) UNRELEASED; urgency=medium
+apt (1.0.1ubuntu2.2) UNRELEASED; urgency=medium
 
   * Implement CacheDB for source packages in apt-ftparchive  
     LP: #1329212
@@ -7,7 +7,17 @@ apt (1.0.1ubuntu2.1) UNRELEASED; urgency=medium
   * Add compat mode for old (32bit FileSize) CacheDB (LP: #1274466)
   * fix tests and add db-util to the test dependencies
 
- -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 12 Jun 2014 09:54:47 +0200
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 18 Jun 2014 10:56:19 +0200
+
+apt (1.0.1ubuntu2.1) trusty-security; urgency=low
+
+  * SECURITY UPDATE: incorrect apt-get source validation (LP: #1329274)
+    - warn if not authenticated in apt-private/private-download.*,
+      cmdline/apt-get.cc, added regression test to
+      test/integration/test-apt-get-source-authenticated.
+    - CVE-2014-0478
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 12 Jun 2014 13:57:38 +0200
 
 apt (1.0.1ubuntu2) trusty; urgency=low
 
diff --git a/test/integration/test-apt-get-source-authenticated b/test/integration/test-apt-get-source-authenticated
new file mode 100644
index 000000000..2cee13923
--- /dev/null
+++ b/test/integration/test-apt-get-source-authenticated
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Regression test for debian bug #749795. Ensure that we fail with
+# a error if apt-get source foo will download a source that comes
+# from a unauthenticated repository
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+# a "normal" package with source and binary
+buildsimplenativepackage 'foo' 'all' '2.0'
+
+setupaptarchive --no-update
+
+APTARCHIVE=$(readlink -f ./aptarchive)
+rm -f $APTARCHIVE/dists/unstable/*Release*
+
+# update without authenticated InRelease file
+testsuccess aptget update
+
+# this all should fail
+testfailure aptget install -y foo
+testfailure aptget source foo
+
+# allow overriding the warning
+testsuccess aptget source --allow-unauthenticated foo
-- 
cgit v1.2.3