From daff4aa356128310f022370f7825bdc369c66ba8 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 14:57:05 +0200 Subject: Fix regression for file:/// uris from CVE-2014-0487 Do not run ReverifyAfterIMS() for local file URIs as this will causes apt to mess around in the file:/// uri space. This is wrong in itself, but it will also cause a incorrect verification failure when the archive and the lists directory are on different partitions as rename(). --- test/integration/test-apt-update-file | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100755 test/integration/test-apt-update-file (limited to 'test/integration/test-apt-update-file') diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file new file mode 100755 index 000000000..069f8ba2f --- /dev/null +++ b/test/integration/test-apt-update-file @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Ensure that we do not modify file:/// uris (regression test for +# CVE-2014-0487 +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "amd64" +configcompression 'bz2' 'gz' + +insertpackage 'unstable' 'foo' 'all' '1.0' + +umask 022 +setupaptarchive --no-update + +# ensure the archive is not writable +chmod 550 aptarchive/dists/unstable/main/binary-amd64 + +testsuccess aptget update -qq +testsuccess aptget update -qq + +# the cleanup should still work +chmod 750 aptarchive/dists/unstable/main/binary-amd64 -- cgit v1.2.3 From 23d0a6fbee9e8880107481502e14411961c44a7b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 17:48:27 +0200 Subject: improve test for commit daff4a --- test/integration/test-apt-update-file | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'test/integration/test-apt-update-file') diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file index 069f8ba2f..e267c71da 100755 --- a/test/integration/test-apt-update-file +++ b/test/integration/test-apt-update-file @@ -22,6 +22,13 @@ chmod 550 aptarchive/dists/unstable/main/binary-amd64 testsuccess aptget update -qq testsuccess aptget update -qq +aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log + +# ensure that the hash of the uncompressed file was verified even on a local +# ims hit +canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')" +grep -q "RecivedHash: $canary" output.log + # the cleanup should still work chmod 750 aptarchive/dists/unstable/main/binary-amd64 -- cgit v1.2.3 From 8b451962751298876d1f399e4de492d8adbb135a Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 19 Sep 2014 16:41:50 +0200 Subject: test/integration/test-apt-update-file: improve test --- test/integration/test-apt-update-file | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/integration/test-apt-update-file') diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file index e267c71da..fbcd473cc 100755 --- a/test/integration/test-apt-update-file +++ b/test/integration/test-apt-update-file @@ -29,6 +29,8 @@ aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')" grep -q "RecivedHash: $canary" output.log +# foo is still available +testsuccess aptget install -s foo # the cleanup should still work chmod 750 aptarchive/dists/unstable/main/binary-amd64 -- cgit v1.2.3