summaryrefslogtreecommitdiff
path: root/test/integration/test-cve-2013-1051-InRelease-parsing
diff options
context:
space:
mode:
Diffstat (limited to 'test/integration/test-cve-2013-1051-InRelease-parsing')
-rwxr-xr-xtest/integration/test-cve-2013-1051-InRelease-parsing61
1 files changed, 61 insertions, 0 deletions
diff --git a/test/integration/test-cve-2013-1051-InRelease-parsing b/test/integration/test-cve-2013-1051-InRelease-parsing
new file mode 100755
index 000000000..bd68fccf6
--- /dev/null
+++ b/test/integration/test-cve-2013-1051-InRelease-parsing
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture 'i386'
+
+insertpackage 'stable' 'good-pkg' 'all' '1.0'
+
+setupaptarchive
+
+changetowebserver
+ARCHIVE='http://localhost/'
+msgtest 'Initial apt-get update should work with' 'InRelease'
+aptget update -qq && msgpass || msgfail
+
+# check that the setup is correct
+testequal "good-pkg:
+ Installed: (none)
+ Candidate: 1.0
+ Version table:
+ 1.0 0
+ 500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg
+
+# now exchange to the Packages file, note that this could be
+# done via MITM too
+insertpackage 'stable' 'bad-mitm' 'all' '1.0'
+
+# this builds compressed files and a new (unsigned) Release
+buildaptarchivefromfiles '+1hour'
+
+# add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
+# to trick apt - this is still legal to gpg(v)
+sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease
+
+# we append the (evil unsigned) Release file to the (good signed) InRelease
+cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
+
+
+# ensure the update fails
+# useful for debugging to add "-o Debug::pkgAcquire::auth=true"
+msgtest 'apt-get update for should fail with the modified' 'InRelease'
+aptget update 2>&1 | grep -q 'Hash Sum mismatch' > /dev/null && msgpass || msgfail
+
+# ensure there is no package
+testequal 'Reading package lists...
+Building dependency tree...
+E: Unable to locate package bad-mitm' aptget install bad-mitm -s
+
+# and verify that its not picked up
+testequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm -q=0
+
+# and that the right one is used
+testequal "good-pkg:
+ Installed: (none)
+ Candidate: 1.0
+ Version table:
+ 1.0 0
+ 500 ${ARCHIVE} stable/main i386 Packages" aptcache policy good-pkg