From 55971004215609a02ca19c59bd058da20729ba11 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 14 Mar 2013 14:26:43 +0100 Subject: * SECURITY UPDATE: InRelease verification bypass - CVE-2013-1051 * apt-pkg/deb/debmetaindex.cc, test/integration/test-bug-595691-empty-and-broken-archive-files, test/integration/test-releasefile-verification: - disable InRelease downloading until the verification issue is fixed, thanks to Ansgar Burchardt for finding the flaw --- .../test-bug-595691-empty-and-broken-archive-files | 30 ++++++++-------------- test/integration/test-releasefile-verification | 4 +-- 2 files changed, 13 insertions(+), 21 deletions(-) (limited to 'test') diff --git a/test/integration/test-bug-595691-empty-and-broken-archive-files b/test/integration/test-bug-595691-empty-and-broken-archive-files index 63883b380..4611b8b8e 100755 --- a/test/integration/test-bug-595691-empty-and-broken-archive-files +++ b/test/integration/test-bug-595691-empty-and-broken-archive-files @@ -13,7 +13,7 @@ setupflataptarchive testaptgetupdate() { rm -rf rootdir/var/lib/apt aptget update 2>> testaptgetupdate.diff >> testaptgetupdate.diff || true - sed -i -e '/^Fetched / d' -e '/Ign / d' -e 's#\[[0-9]* [kMGTPY]*B\]#\[\]#' testaptgetupdate.diff + sed -i -e '/^Fetched / d' -e '/Ign / d' -e '/Release/ d' -e 's#Get:[0-9]\+ #Get: #' -e 's#\[[0-9]* [kMGTPY]*B\]#\[\]#' testaptgetupdate.diff GIVEN="$1" shift msgtest "Test for correctness of" "apt-get update with $*" @@ -81,22 +81,18 @@ testoverfile() { setupcompressor "$1" createemptyfile 'en' - testaptgetupdate "Get:1 file: InRelease [] -Reading package lists..." "empty file en.$COMPRESS over file" + testaptgetupdate 'Reading package lists...' "empty file en.$COMPRESS over file" createemptyarchive 'en' - testaptgetupdate "Get:1 file: InRelease [] -Reading package lists..." "empty archive en.$COMPRESS over file" + testaptgetupdate 'Reading package lists...' "empty archive en.$COMPRESS over file" createemptyarchive 'Packages' # FIXME: Why omits the file transport the Packages Get line? #Get:3 file: Packages [] - testaptgetupdate "Get:1 file: InRelease [] -Reading package lists..." "empty archive Packages.$COMPRESS over file" + testaptgetupdate 'Reading package lists...' "empty archive Packages.$COMPRESS over file" createemptyfile 'Packages' - testaptgetupdate "Get:1 file: InRelease [] -Err file: Packages + testaptgetupdate "Err file: Packages Empty files can't be valid archives W: Failed to fetch ${COMPRESSOR}:$(readlink -f aptarchive/Packages.$COMPRESS) Empty files can't be valid archives @@ -107,26 +103,22 @@ testoverhttp() { setupcompressor "$1" createemptyfile 'en' - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages [] -Get:3 http://localhost Translation-en + testaptgetupdate "Get: http://localhost Packages [] +Get: http://localhost Translation-en Reading package lists..." "empty file en.$COMPRESS over http" createemptyarchive 'en' - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages [] -Get:3 http://localhost Translation-en [] + testaptgetupdate "Get: http://localhost Packages [] +Get: http://localhost Translation-en [] Reading package lists..." "empty archive en.$COMPRESS over http" createemptyarchive 'Packages' - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages [] + testaptgetupdate "Get: http://localhost Packages [] Reading package lists..." "empty archive Packages.$COMPRESS over http" createemptyfile 'Packages' #FIXME: we should response with a good error message instead - testaptgetupdate "Get:1 http://localhost InRelease [] -Get:2 http://localhost Packages + testaptgetupdate "Get: http://localhost Packages Err http://localhost Packages Empty files can't be valid archives W: Failed to fetch ${COMPRESSOR}:$(readlink -f rootdir/var/lib/apt/lists/partial/localhost:8080_Packages) Empty files can't be valid archives diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index d3ea91de5..01fb2e529 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -184,5 +184,5 @@ runtest2 DELETEFILE="InRelease" runtest -DELETEFILE="Release.gpg" -runtest +#DELETEFILE="Release.gpg" +#runtest -- cgit v1.2.3