From ca7fd76c2f30c100dcf1c12e717ce397cccd690b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 16 Sep 2014 20:23:43 +0200 Subject: SECURITY UPDATE for CVE-2014-{0488,0487,0489} incorrect invalidating of unauthenticated data (CVE-2014-0488) incorect verification of 304 reply (CVE-2014-0487) incorrect verification of Acquire::Gzip indexes (CVE-2014-0489) --- test/integration/test-apt-update-stale | 46 ++++++++++++++++++++++++++++ test/integration/test-apt-update-unauth | 48 ++++++++++++++++++++++++++++++ test/integration/test-hashsum-verification | 14 +++++++-- 3 files changed, 105 insertions(+), 3 deletions(-) create mode 100755 test/integration/test-apt-update-stale create mode 100755 test/integration/test-apt-update-unauth (limited to 'test') diff --git a/test/integration/test-apt-update-stale b/test/integration/test-apt-update-stale new file mode 100755 index 000000000..780ff79af --- /dev/null +++ b/test/integration/test-apt-update-stale @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Ensure that a MITM can not stale the Packages/Sources without +# raising a error message. Note that the Release file is protected +# via the "Valid-Until" header +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +insertpackage 'unstable' 'foo' 'all' '1.0' + +setupaptarchive +changetowebserver +aptget update -qq + +# insert new version +mkdir aptarchive/dists/unstable/main/binary-i386/saved +cp -p aptarchive/dists/unstable/main/binary-i386/Packages* \ + aptarchive/dists/unstable/main/binary-i386/saved +insertpackage 'unstable' 'foo' 'all' '2.0' + +# not using compressfile for compat with older apt releases +gzip -c aptarchive/dists/unstable/main/binary-i386/Packages > \ + aptarchive/dists/unstable/main/binary-i386/Packages.gz +generatereleasefiles +signreleasefiles + +# ensure that we do not get a I-M-S hit for the Release file +touch -d "+1hour" aptarchive/dists/unstable/*Release* + +# but now only deliver the previous Packages file instead of the new one +# (simulating a stale attack) +cp -p aptarchive/dists/unstable/main/binary-i386/saved/Packages* \ + aptarchive/dists/unstable/main/binary-i386/ + +# ensure this raises a error +testequal "W: Failed to fetch http://localhost:8080/dists/unstable/main/binary-i386/Packages Hash Sum mismatch + +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + + diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth new file mode 100755 index 000000000..13487603c --- /dev/null +++ b/test/integration/test-apt-update-unauth @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Ensure that when going from unauthenticated to authenticated all +# files are checked again +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +insertpackage 'unstable' 'foo' 'all' '1.0' +insertsource 'unstable' 'foo' 'all' '1.0' + +setupaptarchive +changetowebserver + +runtest() { + # start unauthenticated + find rootdir/var/lib/apt/lists/ -type f | xargs rm -f + rm -f aptarchive/dists/unstable/*Release* + aptget update -qq + + # become authenticated + generatereleasefiles + signreleasefiles + + # and ensure we do download the data again + msgtest "Check that the data is check when going to authenticated" + if aptget update |grep -q Hit; then + msgfail + else + msgpass + fi +} + +for COMPRESSEDINDEXES in 'false' 'true'; do + echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes + if $COMPRESSEDINDEXES; then + msgmsg 'Run tests with GzipIndexes enabled' + else + msgmsg 'Run tests with GzipIndexes disabled' + fi + + runtest +done diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index e77efb46e..2a400dcb4 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -64,7 +64,7 @@ runtest() { msgtest 'No package from the source available' [ "$(aptcache show apt 2>&1)" = "E: No packages found" ] && msgpass || msgfail msgtest 'No Packages file in /var/lib/apt/lists' - [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail + [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null | grep -v FAILED 2>/dev/null)" = "" ] && msgpass || msgfail # now with the unsigned Release file rm -rf rootdir/var/lib/apt/lists @@ -75,5 +75,13 @@ runtest() { } -runtest - +for COMPRESSEDINDEXES in 'false' 'true'; do + echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes + if $COMPRESSEDINDEXES; then + msgmsg 'Run tests with GzipIndexes enabled' + else + msgmsg 'Run tests with GzipIndexes disabled' + fi + + runtest +done -- cgit v1.2.3