From 2e3c9d6452e69dcb5c83732fbda27b747bc997f4 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 6 Jun 2011 21:29:16 +0200 Subject: * apt-pkg/indexcopy.cc: - Verify that the first line of an InRelease file is a PGP header for a signed message. Otherwise a man-in-the-middle can prefix a valid InRelease file with his own data! (CVE-2011-1829) --- ...st-ubuntu-bug-784473-InRelease-one-message-only | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100755 test/integration/test-ubuntu-bug-784473-InRelease-one-message-only (limited to 'test/integration/test-ubuntu-bug-784473-InRelease-one-message-only') diff --git a/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only b/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only new file mode 100755 index 000000000..d97011914 --- /dev/null +++ b/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only @@ -0,0 +1,31 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework +setupenvironment +configarchitecture 'i386' + +insertpackage 'unstable' 'apt' 'i386' '0.8.11' + +setupaptarchive + +rm -rf rootdir/var/lib/apt/lists + +find aptarchive/ -name 'Release.gpg' -delete +find aptarchive/ -name 'InRelease' -exec cp {} {}.old \; + +for RELEASE in $(find aptarchive/ -name 'InRelease'); do + (echo 'Origin: Marvin +Label: Marvin +Suite: experimental +Codename: experimental +MD5Sum: + 65fd410587b6978de2277f2912523f09 9360 Packages + d27b294ed172a1fa9dd5a53949914c5d 4076 Packages.bz2 + 2182897e0a2a0c09e760beaae117a015 2023 Packages.diff/Index + 1b895931853981ad8204d2439821b999 4144 Packages.gz'; echo; cat ${RELEASE}.old;) > ${RELEASE} +done +aptget update -qq > /dev/null 2> starts-with-unsigned.msg +sed -i 's#File .*InRelease#File InRelease#' starts-with-unsigned.msg +testfileequal starts-with-unsigned.msg "W: GPG error: file: unstable InRelease: File InRelease doesn't start with a clearsigned message" -- cgit v1.2.3