From 7491bed8cddb928589c3f7fa1bb308352f15962b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 7 May 2014 22:05:26 +0200 Subject: add BUILDDIRECTORY to PATH in the tests Git-Dch: Ignore --- test/integration/framework | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/integration/framework b/test/integration/framework index 70ad381e9..3bfd8e435 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -253,7 +253,8 @@ setupenvironment() { gpg --quiet --check-trustdb --secret-keyring $SECRETKEYRING --keyring $SECRETKEYRING >/dev/null 2>&1 # cleanup the environment a bit - export PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin" + # prefer our apt binaries over the system apt binaries + export PATH="${BUILDDIRECTORY}:${PATH}:/usr/local/sbin:/usr/sbin:/sbin" export LC_ALL=C.UTF-8 unset LANGUAGE APT_CONFIG unset GREP_OPTIONS DEB_BUILD_PROFILES -- cgit v1.2.3 From 8de25347319388d439de276b53de0b41aeb41114 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 8 May 2014 18:51:24 +0200 Subject: fix apt-config test now that PATH changed in 8c617819 Which, in this cherrypick is actually 7491bed8. Git-Dch: Ignore --- test/integration/test-kernel-helper-autoremove | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/integration/test-kernel-helper-autoremove b/test/integration/test-kernel-helper-autoremove index c51caa758..22c36890b 100755 --- a/test/integration/test-kernel-helper-autoremove +++ b/test/integration/test-kernel-helper-autoremove @@ -9,7 +9,7 @@ configarchitecture 'amd64' # the executed script would use the installed apt-config, # which is outside of our control msgtest 'Check that the installed apt-config supports' '--no-empty' -if apt-config dump --no-empty >/dev/null 2>&1; then +if /usr/bin/apt-config dump --no-empty >/dev/null 2>&1; then msgpass else msgskip -- cgit v1.2.3 From d32010483fed74681bf9035a1c81adbcecbf1146 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 3 Aug 2015 07:00:33 +0200 Subject: mark again deps of pkgs in APT::Never-MarkAuto-Sections as manual MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In 50ef3344c3afaaf9943142906b2f976a0337d264 (and similar for other branches), while 'fixing' the edgecase of a package being in multiple sections (e.g. moved from libs to oldlibs in newer releases) I accidently broke the feature itself completely by operating on the package itself and no longer on its dependencies… The behaviour isn't ideal in multiple ways, which we are hopefully able to fix with new ideas as mentioned in the buglog, but until then the functionality of this "hack" should be restored. Reported-By: Raphaël Hertzog Tested-By: Adam Conrad Closes: 793360 LP: 1479207 Thanks: Raphaël Hertzog and Adam Conrad for detailed reports and initial patches --- test/integration/framework | 4 +- test/integration/test-apt-never-markauto-sections | 106 ++++++++++++++++++++++ 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100755 test/integration/test-apt-never-markauto-sections (limited to 'test') diff --git a/test/integration/framework b/test/integration/framework index 3bfd8e435..20686148b 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -509,10 +509,12 @@ echo '$NAME says \"Hello!\"'" > ${BUILDDIR}/${NAME} -- Joe Sixpack $(date -R)" > ${BUILDDIR}/debian/changelog echo "Source: $NAME -Section: $SECTION Priority: $PRIORITY Maintainer: Joe Sixpack Standards-Version: 3.9.3" > ${BUILDDIR}/debian/control + if [ "$SECTION" != '' ]; then + echo "Section: $SECTION" >> ${BUILDDIR}/debian/control + fi local BUILDDEPS="$(echo "$DEPENDENCIES" | grep '^Build-')" test -z "$BUILDDEPS" || echo "$BUILDDEPS" >> ${BUILDDIR}/debian/control echo " diff --git a/test/integration/test-apt-never-markauto-sections b/test/integration/test-apt-never-markauto-sections new file mode 100755 index 000000000..6c88c69fa --- /dev/null +++ b/test/integration/test-apt-never-markauto-sections @@ -0,0 +1,106 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework +setupenvironment +configarchitecture 'amd64' 'i386' + +aptconfig dump --no-empty --format '%v%n' APT::Never-MarkAuto-Sections > nevermarkauto.sections +testsuccess grep '^metapackages$' nevermarkauto.sections + +# this is a very crude regression test, not a "this is how it should be" test: +# In theory mydesktop-core and texteditor should be marked as manual, but +# texteditor is installed as a dependency of bad-texteditor, not of +# mydesktop-core and mydesktop-core is removed while bad-texteditor is +# installed losing the manual bit as the problem resolver will later decide to +# drop bad-texteditor and re-instate mydesktop-core which is considered an +# auto-install at that point (in theory the never-auto handling should be +# copied to this place – as to the many other places dependencies are resolved +# 'by hand' instead of via MarkInstall AutoInst… +# +# Both could be fixed if apt would figure out early that installing +# bad-texteditor is a bad idea and eventually it should (as mydesktop-core is +# a direct descendant of mydesktop which was a user-request mydesktop-core should +# be as protected from removal as mydesktop is), but this is hard in the general case +# as with more or-groups and provides you can produce 'legal' examples for this. + +buildsimplenativepackage 'mydesktop' 'all' '1' 'unstable' 'Depends: mydesktop-core, foreignpkg +Recommends: notavailable' '' 'metapackages' +buildsimplenativepackage 'mydesktop-core' 'amd64' '1' 'unstable' 'Depends: bad-texteditor | texteditor, browser (>= 42), nosection, foreignpkg +Recommends: notavailable +Multi-Arch: foreign' '' 'metapackages' +buildsimplenativepackage 'browser' 'amd64' '41' 'stable' +buildsimplenativepackage 'browser' 'amd64' '42' 'unstable' +buildsimplenativepackage 'texteditor' 'amd64' '1' 'stable' +buildsimplenativepackage 'bad-texteditor' 'amd64' '1' 'stable' 'Depends: texteditor +Conflicts: mydesktop-core' +buildsimplenativepackage 'nosection' 'amd64' '1' 'stable' '' '' '' +buildsimplenativepackage 'foreignpkg' 'i386' '1' 'stable' 'Multi-Arch: foreign' +setupaptarchive + +testsuccess aptcache show nosection +testfailure grep 'Section' rootdir/tmp/testsuccess.output +testequal 'dpkg' aptmark showmanual + +testsuccess aptget install mydesktop -y -o Debug::pkgProblemResolver=1 -o Debug::pkgDepCache::Marker=1 + +testequal 'browser +dpkg +foreignpkg:i386 +mydesktop +nosection' aptmark showmanual +testmarkedauto 'mydesktop-core' 'texteditor' + +testequal 'Reading package lists... +Building dependency tree... +Reading state information... +The following packages will be REMOVED: + mydesktop mydesktop-core texteditor +0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded. +Remv mydesktop [1] +Remv mydesktop-core [1] +Remv texteditor [1]' aptget autoremove mydesktop -s + +testequal 'Reading package lists... +Building dependency tree... +Reading state information... +The following packages will be REMOVED: + mydesktop mydesktop-core texteditor +0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded. +Remv mydesktop [1] +Remv mydesktop-core [1] +Remv texteditor [1]' aptget autoremove texteditor -s +testsuccess aptget autoremove texteditor -y + +testdpkgnotinstalled mydesktop mydesktop-core texteditor +testdpkginstalled browser + +testequal 'browser +dpkg +foreignpkg:i386 +nosection' aptmark showmanual +testmarkedauto + +# test that installed/upgraded auto-pkgs are not set to manual + +testsuccess aptget install browser=41 -y --force-yes + +testequal 'browser +dpkg +foreignpkg:i386 +nosection' aptmark showmanual +testmarkedauto +testsuccess aptmark auto browser +testmarkedauto 'browser' +testsuccess aptmark auto nosection +testmarkedauto 'browser' 'nosection' +testequal 'dpkg +foreignpkg:i386' aptmark showmanual + +testsuccess aptget install mydesktop -y + +testequal 'dpkg +foreignpkg:i386 +mydesktop' aptmark showmanual +testmarkedauto 'browser' 'nosection' 'mydesktop-core' 'texteditor' -- cgit v1.2.3 From 130f34b7bc48bb05cc192ca6c66606fd99509b3e Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 21 Aug 2015 18:00:37 +0200 Subject: Do not parse Status fields from remote sources This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version. --- test/integration/test-security-no-remote-status | 30 +++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100755 test/integration/test-security-no-remote-status (limited to 'test') diff --git a/test/integration/test-security-no-remote-status b/test/integration/test-security-no-remote-status new file mode 100755 index 000000000..b7cd0b0d1 --- /dev/null +++ b/test/integration/test-security-no-remote-status @@ -0,0 +1,30 @@ +#!/bin/sh +# +# Test that packages from remote sources cannot set the Status field. +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework +setupenvironment +configarchitecture 'amd64' + +TMPDIR=$(readlink -f .) + +insertpackage 'unstable' 'pretends-installed' 'all' '1' 'Status: install ok installed' +insertinstalledpackage 'really-installed' 'all' '1' +setupaptarchive + +testequal "pretends-installed: + Installed: (none) + Candidate: 1 + Version table: + 1 0 + 500 file:${TMPDIR}/aptarchive/ unstable/main amd64 Packages" aptcache policy pretends-installed + +testequal "really-installed: + Installed: 1 + Candidate: 1 + Version table: + *** 1 0 + 100 ${TMPDIR}/rootdir/var/lib/dpkg/status" aptcache policy really-installed -- cgit v1.2.3