summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rwxr-xr-xtest/integration/test-cve-2020-273506
-rw-r--r--test/interactive-helper/createdeb-cve-2020-27350.cc84
2 files changed, 89 insertions, 1 deletions
diff --git a/test/integration/test-cve-2020-27350 b/test/integration/test-cve-2020-27350
index 6ee867bb3..336dc5b7e 100755
--- a/test/integration/test-cve-2020-27350
+++ b/test/integration/test-cve-2020-27350
@@ -11,3 +11,9 @@ testequal "E: Invalid archive member header" runapt ${APTTESTHELPERSBINDIR}/test
${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 loop loop.deb
testequal "E: Invalid archive member header" runapt ${APTTESTHELPERSBINDIR}/testdeb ./loop.deb
+
+${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 long-name long-name.deb
+testequal "E: Long name to large: 67108865 bytes > 1048576 bytes" runapt ${APTTESTHELPERSBINDIR}/extract-control long-name.deb control
+
+${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 long-link long-link.deb
+testequal "E: Long name to large: 67108865 bytes > 1048576 bytes" runapt ${APTTESTHELPERSBINDIR}/extract-control long-link.deb control
diff --git a/test/interactive-helper/createdeb-cve-2020-27350.cc b/test/interactive-helper/createdeb-cve-2020-27350.cc
index 9103c2137..7c58eb9df 100644
--- a/test/interactive-helper/createdeb-cve-2020-27350.cc
+++ b/test/interactive-helper/createdeb-cve-2020-27350.cc
@@ -142,8 +142,82 @@ static void set_checksum(unsigned char block[512])
}
snprintf(tar->Checksum, sizeof(tar->Checksum), "%o", sum);
}
+static void base256_encode(char *Str, unsigned long long Num, unsigned int Len)
+{
+ Str += Len;
+ while (Len-- > 0) {
+ *--Str = static_cast<char>(Num & 0xff);
+ Num >>= 8;
+ }
+
+ *Str |= 0x80; // mark as base256
+}
+
+// Create a deb with a control.tar that contains a too large file or link name (GNU extension)
+static void createdeb_bigtarfilelength(const int fd, int flag, unsigned long long size = 64llu * 1024 * 1024 + 1)
+{
+ // Magic number
+ static const char *magic = "!<arch>\n";
+ write_chk(fd, magic, strlen(magic));
+
+ struct Header h;
+ memset(&h, ' ', sizeof(h));
+ memcpy(h.Name, "debian-binary/ ", sizeof(h.Name));
+ h.MTime[0] = '0';
+ h.UID[0] = '0';
+ h.GID[0] = '0';
+ memcpy(h.Mode, "644", 3);
+ h.Size[0] = '0';
+ memcpy(h.Magic, "`\n", 2);
+
+ write_chk(fd, &h, sizeof(h));
+
+ memset(&h, ' ', sizeof(h));
+ memcpy(h.Name, "data.tar/ ", sizeof(h.Name));
+ h.MTime[0] = '0';
+ h.UID[0] = '0';
+ h.GID[0] = '0';
+ memcpy(h.Mode, "644", 3);
+ h.Size[0] = '0';
+ memcpy(h.Magic, "`\n", 2);
+
+ write_chk(fd, &h, sizeof(h));
+
+ memset(&h, ' ', sizeof(h));
+ memcpy(h.Name, "control.tar/ ", sizeof(h.Name));
+ h.MTime[0] = '0';
+ h.UID[0] = '0';
+ h.GID[0] = '0';
+ memcpy(h.Mode, "644", 3);
+ memcpy(h.Size, "512", 3);
+ memcpy(h.Magic, "`\n", 2);
+
+ write_chk(fd, &h, sizeof(h));
+ union
+ {
+ struct TarHeader t;
+ unsigned char buf[512];
+ } t;
+ for (unsigned int i = 0; i < sizeof(t.buf); i++)
+ t.buf[i] = '7';
+ memcpy(t.t.Name, "control\0 ", 16);
+ memcpy(t.t.UserName, "userName", 8);
+ memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32);
+ t.t.LinkFlag = flag;
+ base256_encode(t.t.Size, size, sizeof(t.t.Size));
+ memset(t.t.Checksum, ' ', sizeof(t.t.Checksum));
+
+ unsigned long sum = 0;
+ for (unsigned int i = 0; i < sizeof(t.buf); i++)
+ sum += t.buf[i];
+
+ int written = sprintf(t.t.Checksum, "%lo", sum);
+ for (unsigned int i = written; i < sizeof(t.t.Checksum); i++)
+ t.t.Checksum[i] = ' ';
+
+ write_chk(fd, t.buf, sizeof(t.buf));
+}
-// This does not trigger a vulnerability. It is just a basis for exploration.
static void createdeb_test(const int fd)
{
// Magic number
@@ -221,6 +295,14 @@ int main(int argc, char *argv[])
{
createdeb_leakfd(fd);
}
+ else if (strcmp(mode, "long-name") == 0)
+ {
+ createdeb_bigtarfilelength(fd, 'L');
+ }
+ else if (strcmp(mode, "long-link") == 0)
+ {
+ createdeb_bigtarfilelength(fd, 'K');
+ }
else if (strcmp(mode, "test") == 0)
{
createdeb_test(fd);