From daff4aa356128310f022370f7825bdc369c66ba8 Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@ubuntu.com>
Date: Wed, 17 Sep 2014 14:57:05 +0200
Subject: Fix regression for file:/// uris from CVE-2014-0487

Do not run ReverifyAfterIMS() for local file URIs as this will
causes apt to mess around in the file:/// uri space. This is
wrong in itself, but it will also cause a incorrect verification
failure when the archive and the lists directory are on different
partitions as rename().
---
 test/integration/test-apt-update-file | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100755 test/integration/test-apt-update-file

(limited to 'test')

diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file
new file mode 100755
index 000000000..069f8ba2f
--- /dev/null
+++ b/test/integration/test-apt-update-file
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Ensure that we do not modify file:/// uris (regression test for
+# CVE-2014-0487
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "amd64"
+configcompression 'bz2' 'gz' 
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+umask 022
+setupaptarchive --no-update
+
+# ensure the archive is not writable
+chmod 550 aptarchive/dists/unstable/main/binary-amd64
+
+testsuccess aptget update -qq
+testsuccess aptget update -qq
+
+# the cleanup should still work
+chmod 750 aptarchive/dists/unstable/main/binary-amd64
-- 
cgit v1.2.3