From ca7fd76c2f30c100dcf1c12e717ce397cccd690b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 16 Sep 2014 20:23:43 +0200 Subject: SECURITY UPDATE for CVE-2014-{0488,0487,0489} incorrect invalidating of unauthenticated data (CVE-2014-0488) incorect verification of 304 reply (CVE-2014-0487) incorrect verification of Acquire::Gzip indexes (CVE-2014-0489) --- test/integration/test-hashsum-verification | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'test/integration/test-hashsum-verification') diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index e77efb46e..2a400dcb4 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -64,7 +64,7 @@ runtest() { msgtest 'No package from the source available' [ "$(aptcache show apt 2>&1)" = "E: No packages found" ] && msgpass || msgfail msgtest 'No Packages file in /var/lib/apt/lists' - [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail + [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null | grep -v FAILED 2>/dev/null)" = "" ] && msgpass || msgfail # now with the unsigned Release file rm -rf rootdir/var/lib/apt/lists @@ -75,5 +75,13 @@ runtest() { } -runtest - +for COMPRESSEDINDEXES in 'false' 'true'; do + echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes + if $COMPRESSEDINDEXES; then + msgmsg 'Run tests with GzipIndexes enabled' + else + msgmsg 'Run tests with GzipIndexes disabled' + fi + + runtest +done -- cgit v1.2.3 From c292cc32b3ab0d70c63e68f7c94446932217c0ec Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 29 Sep 2014 11:47:03 +0200 Subject: more test fixes --- test/integration/test-hashsum-verification | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'test/integration/test-hashsum-verification') diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index 2a400dcb4..2db2bab0f 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -70,9 +70,13 @@ runtest() { rm -rf rootdir/var/lib/apt/lists rm aptarchive/InRelease aptarchive/Release.gpg msgtest 'unsigned apt-get update gets the expected hashsum mismatch' - aptget update 2>&1 | grep "Hash Sum mismatch" > /dev/null && msgpass || msgfail - - + aptget update --allow-unauthenticated >output.log 2>&1 || true + if grep -q "Hash Sum mismatch" output.log; then + msgpass + else + cat output.log + msgfail + fi } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From c99fe2e169243fc6e1a3278ce3768f0f521e260b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 12:21:55 +0200 Subject: Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories} The configuration key Acquire::AllowInsecureRepositories controls if apt allows loading of unsigned repositories at all. The configuration Acquire::AllowDowngradeToInsecureRepositories controls if a signed repository can ever become unsigned. This should really never be needed but we provide it to avoid having to mess around in /var/lib/apt/lists if there is a use-case for this (which I can't think of right now). --- test/integration/test-hashsum-verification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-hashsum-verification') diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index 2db2bab0f..5f88110b3 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -70,7 +70,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists rm aptarchive/InRelease aptarchive/Release.gpg msgtest 'unsigned apt-get update gets the expected hashsum mismatch' - aptget update --allow-unauthenticated >output.log 2>&1 || true + aptget update --allow-insecure-repositories >output.log 2>&1 || true if grep -q "Hash Sum mismatch" output.log; then msgpass else -- cgit v1.2.3