From ca7fd76c2f30c100dcf1c12e717ce397cccd690b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 16 Sep 2014 20:23:43 +0200 Subject: SECURITY UPDATE for CVE-2014-{0488,0487,0489} incorrect invalidating of unauthenticated data (CVE-2014-0488) incorect verification of 304 reply (CVE-2014-0487) incorrect verification of Acquire::Gzip indexes (CVE-2014-0489) --- test/integration/test-apt-update-unauth | 48 +++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100755 test/integration/test-apt-update-unauth (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth new file mode 100755 index 000000000..13487603c --- /dev/null +++ b/test/integration/test-apt-update-unauth @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Ensure that when going from unauthenticated to authenticated all +# files are checked again +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +insertpackage 'unstable' 'foo' 'all' '1.0' +insertsource 'unstable' 'foo' 'all' '1.0' + +setupaptarchive +changetowebserver + +runtest() { + # start unauthenticated + find rootdir/var/lib/apt/lists/ -type f | xargs rm -f + rm -f aptarchive/dists/unstable/*Release* + aptget update -qq + + # become authenticated + generatereleasefiles + signreleasefiles + + # and ensure we do download the data again + msgtest "Check that the data is check when going to authenticated" + if aptget update |grep -q Hit; then + msgfail + else + msgpass + fi +} + +for COMPRESSEDINDEXES in 'false' 'true'; do + echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes + if $COMPRESSEDINDEXES; then + msgmsg 'Run tests with GzipIndexes enabled' + else + msgmsg 'Run tests with GzipIndexes disabled' + fi + + runtest +done -- cgit v1.2.3 From c8aa88aa2c3139584cfabb1ce4619c773e9f2b99 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 23 Sep 2014 18:08:53 +0200 Subject: cleanup, fix test-apt-update-unauth as the behavior of apt changed --- test/integration/test-apt-update-unauth | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 13487603c..4e08b5e35 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -17,23 +17,41 @@ insertsource 'unstable' 'foo' 'all' '1.0' setupaptarchive changetowebserver +# FIXME: +# - also check the unauth -> auth success case, i.e. that all files are +# reverified runtest() { # start unauthenticated find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* + # remove uncompressed version + find aptarchive/ -name Packages | xargs rm -f aptget update -qq # become authenticated generatereleasefiles signreleasefiles - # and ensure we do download the data again - msgtest "Check that the data is check when going to authenticated" - if aptget update |grep -q Hit; then - msgfail - else + # and ensure we re-check the downloaded data + msgtest "Check rollback on going from unauth -> auth" + + # change the local packages file + PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) + echo "meep" > $PKGS + ls -l rootdir/var/lib/apt/lists > lists.before + + # update and ensure all is reverted on the hashsum failure + aptget update -o Debug::Acquire::Transaction=1 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 > output.log 2>&1 || true + + # ensure we have before what we have after + ls -l rootdir/var/lib/apt/lists > lists.after + if diff -u lists.before lists.after; then msgpass + else + #cat output.log + msgfail fi + } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From bca84917c326fa3158e120147c8aecebe0789b47 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 26 Sep 2014 22:45:18 +0200 Subject: test fixes --- test/integration/test-apt-update-unauth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 4e08b5e35..2e46e3ace 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -26,7 +26,7 @@ runtest() { rm -f aptarchive/dists/unstable/*Release* # remove uncompressed version find aptarchive/ -name Packages | xargs rm -f - aptget update -qq + aptget update -qq --allow-unauthenticated # become authenticated generatereleasefiles -- cgit v1.2.3 From e1bd768b762bd74221f9089133883723a7307f9b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 29 Sep 2014 11:03:02 +0200 Subject: test fixes --- test/integration/test-apt-update-unauth | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 2e46e3ace..5db8a3c16 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -8,6 +8,8 @@ set -e TESTDIR=$(readlink -f $(dirname $0)) . $TESTDIR/framework +umask 022 + setupenvironment configarchitecture "i386" -- cgit v1.2.3 From c99fe2e169243fc6e1a3278ce3768f0f521e260b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 12:21:55 +0200 Subject: Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories} The configuration key Acquire::AllowInsecureRepositories controls if apt allows loading of unsigned repositories at all. The configuration Acquire::AllowDowngradeToInsecureRepositories controls if a signed repository can ever become unsigned. This should really never be needed but we provide it to avoid having to mess around in /var/lib/apt/lists if there is a use-case for this (which I can't think of right now). --- test/integration/test-apt-update-unauth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 5db8a3c16..ade523ea7 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -28,7 +28,7 @@ runtest() { rm -f aptarchive/dists/unstable/*Release* # remove uncompressed version find aptarchive/ -name Packages | xargs rm -f - aptget update -qq --allow-unauthenticated + aptget update -qq --allow-insecure-repositories # become authenticated generatereleasefiles -- cgit v1.2.3 From 0b844e23f014bd3ce95e27fe5fa81138e9ae4879 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 17:13:33 +0200 Subject: hack around test-apt-update-unauth failure --- test/integration/test-apt-update-unauth | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index ade523ea7..cf5195024 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -26,34 +26,43 @@ runtest() { # start unauthenticated find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* - # remove uncompressed version - find aptarchive/ -name Packages | xargs rm -f + aptget update -qq --allow-insecure-repositories + # FIXME: this really shouldn't be needed + rm -f rootdir/var/lib/apt/lists/partial/* + # become authenticated generatereleasefiles signreleasefiles + # move uncompressed away + mv aptarchive/dists/unstable/main/binary-i386/Packages \ + aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed + # and ensure we re-check the downloaded data msgtest "Check rollback on going from unauth -> auth" # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) echo "meep" > $PKGS - ls -l rootdir/var/lib/apt/lists > lists.before + ls rootdir/var/lib/apt/lists/ > lists.before # update and ensure all is reverted on the hashsum failure - aptget update -o Debug::Acquire::Transaction=1 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 > output.log 2>&1 || true + aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 > output.log 2>&1 || true # ensure we have before what we have after - ls -l rootdir/var/lib/apt/lists > lists.after + ls rootdir/var/lib/apt/lists/ > lists.after if diff -u lists.before lists.after; then msgpass else - #cat output.log + cat output.log msgfail fi + # move uncompressed back for release file + mv aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed \ + aptarchive/dists/unstable/main/binary-i386/Packages } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From 5684f71fa0f6c1b765aa53e22ca3b024c578b9c9 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 6 Oct 2014 14:29:53 +0200 Subject: use _apt:root only for partial directories Using a different user for calling methods is intended to protect us from methods running amok (via remotely exploited bugs) by limiting what can be done by them. By using root:root for the final directories and just have the files in partial writeable by the methods we enhance this in sofar as a method can't modify already verified data in its parent directory anymore. As a side effect, this also clears most of the problems you could have if the final directories are shared without user-sharing or if these directories disappear as they are now again root owned and only the partial directories contain _apt owned files (usually none if apt isn't running) and the directory itself is autocreated with the right permissions. --- test/integration/test-apt-update-unauth | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index cf5195024..b7ccd6cf3 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -27,7 +27,7 @@ runtest() { find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* - aptget update -qq --allow-insecure-repositories + testsuccess aptget update -qq --allow-insecure-repositories # FIXME: this really shouldn't be needed rm -f rootdir/var/lib/apt/lists/partial/* @@ -41,7 +41,6 @@ runtest() { aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed # and ensure we re-check the downloaded data - msgtest "Check rollback on going from unauth -> auth" # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) @@ -49,18 +48,22 @@ runtest() { ls rootdir/var/lib/apt/lists/ > lists.before # update and ensure all is reverted on the hashsum failure - aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 > output.log 2>&1 || true + testfailure aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 # ensure we have before what we have after + msgtest 'Check rollback on going from' 'unauth -> auth' ls rootdir/var/lib/apt/lists/ > lists.after - if diff -u lists.before lists.after; then + if cmp lists.before lists.after; then msgpass else - cat output.log - msgfail + echo >&2 '### Output of previous apt-get update ###' + cat >&2 rootdir/tmp/testfailure.output + echo >&2 '### Changes in the lists-directory: ###' + diff -u >&2 lists.before lists.after + msgfail fi - # move uncompressed back for release file + # move uncompressed back for release file mv aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed \ aptarchive/dists/unstable/main/binary-i386/Packages } @@ -72,6 +75,5 @@ for COMPRESSEDINDEXES in 'false' 'true'; do else msgmsg 'Run tests with GzipIndexes disabled' fi - - runtest + runtest done -- cgit v1.2.3 From 846bc058cb0c1bf7ce7c2fb30b9c277e96e9eaf7 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 18 Oct 2014 22:46:48 +0200 Subject: check lists/ content in tests doing rollback Git-Dch: Ignore --- test/integration/test-apt-update-unauth | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index b7ccd6cf3..1b5dbc6c4 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -16,7 +16,7 @@ configarchitecture "i386" insertpackage 'unstable' 'foo' 'all' '1.0' insertsource 'unstable' 'foo' 'all' '1.0' -setupaptarchive +setupaptarchive --no-update changetowebserver # FIXME: @@ -24,13 +24,10 @@ changetowebserver # reverified runtest() { # start unauthenticated - find rootdir/var/lib/apt/lists/ -type f | xargs rm -f - rm -f aptarchive/dists/unstable/*Release* + rm -rf rootdir/var/lib/apt/lists/ + find aptarchive/ -name '*Release*' -delete - testsuccess aptget update -qq --allow-insecure-repositories - - # FIXME: this really shouldn't be needed - rm -f rootdir/var/lib/apt/lists/partial/* + testsuccess aptget update --allow-insecure-repositories # become authenticated generatereleasefiles @@ -45,14 +42,14 @@ runtest() { # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) echo "meep" > $PKGS - ls rootdir/var/lib/apt/lists/ > lists.before + listcurrentlistsdirectory > lists.before # update and ensure all is reverted on the hashsum failure testfailure aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 # ensure we have before what we have after msgtest 'Check rollback on going from' 'unauth -> auth' - ls rootdir/var/lib/apt/lists/ > lists.after + listcurrentlistsdirectory > lists.after if cmp lists.before lists.after; then msgpass else -- cgit v1.2.3 From 4fa34122cbe347d21b3a162ff2fa75dd2e73c3a8 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 20 Oct 2014 10:23:41 +0200 Subject: testcases: do not allow warnings in testsuccess Adds a new testwarning which tests for zero exit and the presents of a warning in the output, failing if either is not the case or if an error is found, too. This allows us to change testsuccess to accept only totally successful executions (= without warnings) which should help finding regressions. Git-Dch: Ignore --- test/integration/test-apt-update-unauth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 1b5dbc6c4..7347f7d10 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -27,7 +27,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists/ find aptarchive/ -name '*Release*' -delete - testsuccess aptget update --allow-insecure-repositories + testwarning aptget update --allow-insecure-repositories # become authenticated generatereleasefiles -- cgit v1.2.3