From 34747d46be3a15105d896266d8043f55d04e7735 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <kalnischkies@gmail.com>
Date: Mon, 18 Mar 2013 17:06:51 +0100
Subject: rename testcase to mention CVE number, make the code more consistent
 with the rest and add some more tests (by fixing commented ones)

---
 .../test-cve-2013-1051-InRelease-parsing           | 61 ++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100755 test/integration/test-cve-2013-1051-InRelease-parsing

(limited to 'test/integration/test-cve-2013-1051-InRelease-parsing')

diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing
new file mode 100755
index 000000000..bd68fccf6
--- /dev/null
+++ b/test/integration/test-cve-2013-1051-InRelease-parsing
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture 'i386'
+
+insertpackage 'stable' 'good-pkg' 'all' '1.0'
+
+setupaptarchive
+
+changetowebserver
+ARCHIVE='http://localhost/'
+msgtest 'Initial apt-get update should work with' 'InRelease'
+aptget update -qq && msgpass || msgfail
+
+# check that the setup is correct
+testequal "good-pkg:
+  Installed: (none)
+  Candidate: 1.0
+  Version table:
+     1.0 0
+        500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg
+
+# now exchange to the Packages file, note that this could be
+# done via MITM too
+insertpackage 'stable' 'bad-mitm' 'all' '1.0'
+
+# this builds compressed files and a new (unsigned) Release
+buildaptarchivefromfiles '+1hour'
+
+# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
+# to trick apt - this is still legal to gpg(v)
+sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/  /g'  aptarchive/dists/stable/InRelease
+
+# we append the (evil unsigned) Release file to the (good signed) InRelease
+cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
+
+
+# ensure the update fails
+# useful for debugging to add "-o Debug::pkgAcquire::auth=true"
+msgtest 'apt-get update for should fail with the modified' 'InRelease'
+aptget update 2>&1 | grep -q 'Hash Sum mismatch' > /dev/null && msgpass || msgfail
+
+# ensure there is no package
+testequal 'Reading package lists...
+Building dependency tree...
+E: Unable to locate package bad-mitm' aptget install bad-mitm -s
+
+# and verify that its not picked up
+testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0
+
+# and that the right one is used
+testequal "good-pkg:
+  Installed: (none)
+  Candidate: 1.0
+  Version table:
+     1.0 0
+        500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg
-- 
cgit v1.2.3