From 34747d46be3a15105d896266d8043f55d04e7735 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 18 Mar 2013 17:06:51 +0100 Subject: rename testcase to mention CVE number, make the code more consistent with the rest and add some more tests (by fixing commented ones) --- .../test-cve-2013-1051-InRelease-parsing | 61 +++++++++++++++++ test/integration/test-inrelease-verification-fail | 80 ---------------------- 2 files changed, 61 insertions(+), 80 deletions(-) create mode 100755 test/integration/test-cve-2013-1051-InRelease-parsing delete mode 100755 test/integration/test-inrelease-verification-fail (limited to 'test/integration') diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing new file mode 100755 index 000000000..bd68fccf6 --- /dev/null +++ b/test/integration/test-cve-2013-1051-InRelease-parsing @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture 'i386' + +insertpackage 'stable' 'good-pkg' 'all' '1.0' + +setupaptarchive + +changetowebserver +ARCHIVE='http://localhost/' +msgtest 'Initial apt-get update should work with' 'InRelease' +aptget update -qq && msgpass || msgfail + +# check that the setup is correct +testequal "good-pkg: + Installed: (none) + Candidate: 1.0 + Version table: + 1.0 0 + 500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg + +# now exchange to the Packages file, note that this could be +# done via MITM too +insertpackage 'stable' 'bad-mitm' 'all' '1.0' + +# this builds compressed files and a new (unsigned) Release +buildaptarchivefromfiles '+1hour' + +# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part +# to trick apt - this is still legal to gpg(v) +sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease + +# we append the (evil unsigned) Release file to the (good signed) InRelease +cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease + + +# ensure the update fails +# useful for debugging to add "-o Debug::pkgAcquire::auth=true" +msgtest 'apt-get update for should fail with the modified' 'InRelease' +aptget update 2>&1 | grep -q 'Hash Sum mismatch' > /dev/null && msgpass || msgfail + +# ensure there is no package +testequal 'Reading package lists... +Building dependency tree... +E: Unable to locate package bad-mitm' aptget install bad-mitm -s + +# and verify that its not picked up +testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0 + +# and that the right one is used +testequal "good-pkg: + Installed: (none) + Candidate: 1.0 + Version table: + 1.0 0 + 500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg diff --git a/test/integration/test-inrelease-verification-fail b/test/integration/test-inrelease-verification-fail deleted file mode 100755 index 5cbf1ab4d..000000000 --- a/test/integration/test-inrelease-verification-fail +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/sh - -set -e - -TESTDIR=$(readlink -f $(dirname $0)) -. $TESTDIR/framework - -setupenvironment -configarchitecture "i386" - -buildsimplenativepackage 'good-pkg' 'all' '1.0' 'stable' - -setupaptarchive - -# now exchange to the Packages file, note that this could be -# done via MITM too -cat > aptarchive/dists/stable/main/binary-i386/Packages < aptarchive/dists/stable/main/binary-i386/Packages.$extension -done - -# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part -# to trick apt - this is still legal to gpg(v) -sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease - -# and append our own hashes for the modified Packages files -cat >> aptarchive/dists/stable/InRelease <> aptarchive/dists/stable/InRelease - # Sources - s="$(sha512sum aptarchive/dists/stable/main/source/Sources$comp | cut -f1 -d' ') $(stat -c %s aptarchive/dists/stable/main/source/Sources$comp) main/source/Sources$comp" - echo " $s" >> aptarchive/dists/stable/InRelease -done; - -# deliver this -changetowebserver - -# ensure the update fails -# useful for debugging to add "-o Debug::pkgAcquire::auth=true" -if aptget update -qq; then - msgfail "apt-get update should NOT work for MITM" - exit 1 -fi - -# ensure there is no package -testequal 'Reading package lists... -Building dependency tree... -E: Unable to locate package bad-mitm' aptget install bad-mitm - -# and verify that its not picked up -#testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm - -# and that the right one is used -#testequal 'good-pkg: -#+ Installed: (none) -#+ Candidate: 1.0 -#+ Version table: -#+ 1.0 0 -#+ 500 http://localhost/ stable/main i386 Packages' aptcache policy good-pkg -- cgit v1.2.3