From e90ba0afa2a27ecea792e8039b2917ec55647548 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Sat, 4 Mar 2023 11:52:29 +0100
Subject: Disable retries to speed up failure-propagation test

Gbp-Dch: Ignore
---
 test/integration/test-apt-update-failure-propagation | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/test/integration/test-apt-update-failure-propagation b/test/integration/test-apt-update-failure-propagation
index 8c7fd3b7e..f8de3b5c7 100755
--- a/test/integration/test-apt-update-failure-propagation
+++ b/test/integration/test-apt-update-failure-propagation
@@ -26,6 +26,9 @@ for FILE in rootdir/etc/apt/sources.list.d/*-sid-* ; do
 	sed -i -e 's#https:#http:#' -e "s#:${APTHTTPSPORT}/#:${APTHTTPPORT}/#" "$FILE"
 done
 
+# these tests are designed to fail, retries are just a waste of time here
+echo 'Acquire::Retries 0;' > rootdir/etc/apt/apt.conf.d/disable-retries.conf
+
 pretest() {
 	msgmsg "$@"
 	rm -rf rootdir/var/lib/apt/lists
-- 
cgit v1.2.3-70-g09d2


From 937221fde2a5ca989a0b80728cd3ba3639f9f20e Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Sat, 4 Mar 2023 11:55:34 +0100
Subject: Do not store trusted=yes Release file unconditionally
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A source marked with trusted=yes can still fail verification of the
Release file, mostly for Date related issues, like being too new or too
old, which have other options to force them in.

The update code was not using the Release file (which was a InRelease
file but failed verification – which was overridden by trusted=yes) as
intended, but it marked it for storage, so that this "bad" Release file
would end up being moved into lists/, which is bad as the indexes it
refers to aren't updated while the next update run assumes that the
indexes are in the state the Release file claims them to be in.

Fixed simply by making the storage conditional on the usage as intended,
which also resolves a second issue: The verification can also detect that
a Release file we got is older than what we already have to avoid down-
grade attacks. The more likely explanation is a slightly outdated mirror
in a rotation/CDN through, so this gets the silent treatment to avoid
scaring users by handling it as if we had got the same Release file we
already have stored locally, removing the freshly received older file
in the process alongside setting some variables. Those variables were
already modified in the trusted=yes case though resulting in the stored
Release file being removed instead. Not modifying the variables too early
resolves this problem as well.

Both seem to exist since at least 2015 as traces are visible in 448c38bdcd
already, which shuffled lots of code around including the bad ones, but
as we are in trusted=yes land, security is of no concern here, this
"just" leads to failed pinning, hashsum mismatches and other strange
problems in follow-up calls depending on how out of sync the Release
file (if its still present) is with the rest of the trusted data.

Reported-By: Dima Kogan <dkogan@debian.org> on IRC
Tested-By: Dima Kogan <dkogan@debian.org>
---
 apt-pkg/acquire-item.cc                      |  9 ++++++---
 test/integration/framework                   |  8 ++++----
 test/integration/test-releasefile-date-older | 28 ++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 2014a50d5..7df6483ba 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -2030,7 +2030,6 @@ void pkgAcqMetaClearSig::Failed(string const &Message,pkgAcquire::MethodConfig c
 	 string const PartialRelease = GetPartialFileNameFromURI(DetachedDataTarget.URI);
 	 string const FinalInRelease = GetFinalFilename();
 	 Rename(DestFile, PartialRelease);
-	 TransactionManager->TransactionStageCopy(this, PartialRelease, FinalRelease);
 	 LoadLastMetaIndexParser(TransactionManager, FinalRelease, FinalInRelease);
 
 	 // we parse the indexes here because at this point the user wanted
@@ -2038,7 +2037,10 @@ void pkgAcqMetaClearSig::Failed(string const &Message,pkgAcquire::MethodConfig c
 	 if (TransactionManager->MetaIndexParser->Load(PartialRelease, &ErrorText) == false || VerifyVendor(Message) == false)
 	    /* expired Release files are still a problem you need extra force for */;
 	 else
+	 {
+	    TransactionManager->TransactionStageCopy(this, PartialRelease, FinalRelease);
 	    TransactionManager->QueueIndexes(true);
+	 }
       }
    }
 }
@@ -2247,9 +2249,10 @@ void pkgAcqMetaSig::Failed(string const &Message,pkgAcquire::MethodConfig const
       if (MetaIndex->VerifyVendor(Message) == false)
 	 /* expired Release files are still a problem you need extra force for */;
       else
+      {
+	 TransactionManager->TransactionStageCopy(MetaIndex, MetaIndex->DestFile, FinalRelease);
 	 TransactionManager->QueueIndexes(GoodLoad);
-
-      TransactionManager->TransactionStageCopy(MetaIndex, MetaIndex->DestFile, FinalRelease);
+      }
    }
    else if (TransactionManager->IMSHit == false)
       Rename(MetaIndex->DestFile, MetaIndex->DestFile + ".FAILED");
diff --git a/test/integration/framework b/test/integration/framework
index d50b63518..264c228d0 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1204,16 +1204,16 @@ generatereleasefiles() {
 		msgninfo "\tGenerate Release files for flat… "
 		aptftparchiverelease ./aptarchive > aptarchive/Release
 	fi
+	if [ -n "$VALIDUNTIL" ]; then
+		sed -i "/^Date: / a\
+Valid-Until: $(date -u -d "$VALIDUNTIL" -R)" $(find ./aptarchive -name 'Release')
+	fi
 	if [ -n "$DATE" -a "$DATE" != "now" ]; then
 		for release in $(find ./aptarchive -name 'Release'); do
 			sed -i "s/^Date: .*$/Date: $(date -u -d "$DATE" -R)/" "$release"
 			touch -d "$DATE" "$release"
 		done
 	fi
-	if [ -n "$VALIDUNTIL" ]; then
-		sed -i "/^Date: / a\
-Valid-Until: $(date -u -d "$VALIDUNTIL" -R)" $(find ./aptarchive -name 'Release')
-	fi
 	msgdone "info"
 }
 
diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older
index e38ddc3c5..81c71ea9a 100755
--- a/test/integration/test-releasefile-date-older
+++ b/test/integration/test-releasefile-date-older
@@ -102,3 +102,31 @@ generatereleasefiles 'now' 'now + 2 days'
 sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
 signreleasefiles
 testwarning aptget update
+
+# the repo is now signed by unknown key, but marked as trusted
+rm -rf rootdir/etc/apt/trusted.gpg.d
+sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
+
+msgmsg 'Forgot to disable in follow-up' 'Check-Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now + 3 days' 'now + 7 days'
+signreleasefiles
+testfailure aptget update
+testwarning aptget update -o Acquire::Check-Date=no
+listcurrentlistsdirectory > listsdir.lst
+generatereleasefiles 'now + 5 days' 'now + 13 days'
+signreleasefiles
+testfailure aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testwarning aptget update -o Acquire::Check-Date=no
+testsuccess cmp "$(find aptarchive/ -name 'InRelease')" "$(find rootdir/var/lib/apt/ -name '*_Release')"
+
+msgmsg 'Force-Trusted InRelease file is silently ignored' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+testwarning aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testwarning aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
-- 
cgit v1.2.3-70-g09d2