summaryrefslogtreecommitdiff
path: root/test/integration/test-apt-update-stale
diff options
context:
space:
mode:
authorMichael Vogt <mvo@ubuntu.com>2014-09-16 20:23:43 +0200
committerMichael Vogt <mvo@ubuntu.com>2014-09-16 20:39:13 +0200
commitca7fd76c2f30c100dcf1c12e717ce397cccd690b (patch)
tree70a49859068972ec03c8c70d581135ee4e1a9c7f /test/integration/test-apt-update-stale
parent13fe505ceed4cee05667c05cf07896386310ebbc (diff)
SECURITY UPDATE for CVE-2014-{0488,0487,0489}
incorrect invalidating of unauthenticated data (CVE-2014-0488) incorect verification of 304 reply (CVE-2014-0487) incorrect verification of Acquire::Gzip indexes (CVE-2014-0489)
Diffstat (limited to 'test/integration/test-apt-update-stale')
-rwxr-xr-xtest/integration/test-apt-update-stale46
1 files changed, 46 insertions, 0 deletions
diff --git a/test/integration/test-apt-update-stale b/test/integration/test-apt-update-stale
new file mode 100755
index 000000000..780ff79af
--- /dev/null
+++ b/test/integration/test-apt-update-stale
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# Ensure that a MITM can not stale the Packages/Sources without
+# raising a error message. Note that the Release file is protected
+# via the "Valid-Until" header
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+setupaptarchive
+changetowebserver
+aptget update -qq
+
+# insert new version
+mkdir aptarchive/dists/unstable/main/binary-i386/saved
+cp -p aptarchive/dists/unstable/main/binary-i386/Packages* \
+ aptarchive/dists/unstable/main/binary-i386/saved
+insertpackage 'unstable' 'foo' 'all' '2.0'
+
+# not using compressfile for compat with older apt releases
+gzip -c aptarchive/dists/unstable/main/binary-i386/Packages > \
+ aptarchive/dists/unstable/main/binary-i386/Packages.gz
+generatereleasefiles
+signreleasefiles
+
+# ensure that we do not get a I-M-S hit for the Release file
+touch -d "+1hour" aptarchive/dists/unstable/*Release*
+
+# but now only deliver the previous Packages file instead of the new one
+# (simulating a stale attack)
+cp -p aptarchive/dists/unstable/main/binary-i386/saved/Packages* \
+ aptarchive/dists/unstable/main/binary-i386/
+
+# ensure this raises a error
+testequal "W: Failed to fetch http://localhost:8080/dists/unstable/main/binary-i386/Packages Hash Sum mismatch
+
+E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+
+