From daff4aa356128310f022370f7825bdc369c66ba8 Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@ubuntu.com>
Date: Wed, 17 Sep 2014 14:57:05 +0200
Subject: Fix regression for file:/// uris from CVE-2014-0487

Do not run ReverifyAfterIMS() for local file URIs as this will
causes apt to mess around in the file:/// uri space. This is
wrong in itself, but it will also cause a incorrect verification
failure when the archive and the lists directory are on different
partitions as rename().
---
 apt-pkg/acquire-item.cc               | 18 ++++++------------
 test/integration/test-apt-update-file | 27 +++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 12 deletions(-)
 create mode 100755 test/integration/test-apt-update-file

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 058b8bf74..2ced65aa2 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1120,12 +1120,6 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
    string FileName = LookupTag(Message,"Alt-Filename");
    if (FileName.empty() == false)
    {
-      // The files timestamp matches
-      if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true)
-      {
-         ReverifyAfterIMS(FileName);
-         return;
-      }
       Decompression = true;
       Local = true;
       DestFile += ".decomp";
@@ -1142,18 +1136,18 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
       ErrorText = "Method gave a blank filename";
    }
 
+   if (FileName == DestFile)
+      Erase = true;
+   else
+      Local = true;
+
    // The files timestamp matches
-   if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+   if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
    {
       ReverifyAfterIMS(FileName);
       return;
    }
 
-   if (FileName == DestFile)
-      Erase = true;
-   else
-      Local = true;
-   
    string decompProg;
 
    // If we enable compressed indexes, queue for hash verification
diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file
new file mode 100755
index 000000000..069f8ba2f
--- /dev/null
+++ b/test/integration/test-apt-update-file
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Ensure that we do not modify file:/// uris (regression test for
+# CVE-2014-0487
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "amd64"
+configcompression 'bz2' 'gz' 
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+umask 022
+setupaptarchive --no-update
+
+# ensure the archive is not writable
+chmod 550 aptarchive/dists/unstable/main/binary-amd64
+
+testsuccess aptget update -qq
+testsuccess aptget update -qq
+
+# the cleanup should still work
+chmod 750 aptarchive/dists/unstable/main/binary-amd64
-- 
cgit v1.2.3