From daff4aa356128310f022370f7825bdc369c66ba8 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 14:57:05 +0200 Subject: Fix regression for file:/// uris from CVE-2014-0487 Do not run ReverifyAfterIMS() for local file URIs as this will causes apt to mess around in the file:/// uri space. This is wrong in itself, but it will also cause a incorrect verification failure when the archive and the lists directory are on different partitions as rename(). --- test/integration/test-apt-update-file | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100755 test/integration/test-apt-update-file (limited to 'test/integration/test-apt-update-file') diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file new file mode 100755 index 000000000..069f8ba2f --- /dev/null +++ b/test/integration/test-apt-update-file @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Ensure that we do not modify file:/// uris (regression test for +# CVE-2014-0487 +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "amd64" +configcompression 'bz2' 'gz' + +insertpackage 'unstable' 'foo' 'all' '1.0' + +umask 022 +setupaptarchive --no-update + +# ensure the archive is not writable +chmod 550 aptarchive/dists/unstable/main/binary-amd64 + +testsuccess aptget update -qq +testsuccess aptget update -qq + +# the cleanup should still work +chmod 750 aptarchive/dists/unstable/main/binary-amd64 -- cgit v1.2.3-70-g09d2 From 23d0a6fbee9e8880107481502e14411961c44a7b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 17:48:27 +0200 Subject: improve test for commit daff4a --- apt-pkg/acquire-item.cc | 5 +++-- test/integration/test-apt-update-file | 7 +++++++ 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'test/integration/test-apt-update-file') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 2ced65aa2..5df43726b 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1141,13 +1141,14 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, else Local = true; - // The files timestamp matches + // The files timestamp matches, for non-local URLs reverify the local + // file, for local file, uncompress again to ensure the hashsum is still + // matching the Release file if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) { ReverifyAfterIMS(FileName); return; } - string decompProg; // If we enable compressed indexes, queue for hash verification diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file index 069f8ba2f..e267c71da 100755 --- a/test/integration/test-apt-update-file +++ b/test/integration/test-apt-update-file @@ -22,6 +22,13 @@ chmod 550 aptarchive/dists/unstable/main/binary-amd64 testsuccess aptget update -qq testsuccess aptget update -qq +aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log + +# ensure that the hash of the uncompressed file was verified even on a local +# ims hit +canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')" +grep -q "RecivedHash: $canary" output.log + # the cleanup should still work chmod 750 aptarchive/dists/unstable/main/binary-amd64 -- cgit v1.2.3-70-g09d2 From 8b451962751298876d1f399e4de492d8adbb135a Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 19 Sep 2014 16:41:50 +0200 Subject: test/integration/test-apt-update-file: improve test --- test/integration/test-apt-update-file | 2 ++ test/integration/test-bug-762160-relpath | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100755 test/integration/test-bug-762160-relpath (limited to 'test/integration/test-apt-update-file') diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file index e267c71da..fbcd473cc 100755 --- a/test/integration/test-apt-update-file +++ b/test/integration/test-apt-update-file @@ -29,6 +29,8 @@ aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')" grep -q "RecivedHash: $canary" output.log +# foo is still available +testsuccess aptget install -s foo # the cleanup should still work chmod 750 aptarchive/dists/unstable/main/binary-amd64 diff --git a/test/integration/test-bug-762160-relpath b/test/integration/test-bug-762160-relpath new file mode 100755 index 000000000..0af71f57b --- /dev/null +++ b/test/integration/test-bug-762160-relpath @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +# dpkg implements versioned provides in commit 5bb02fe80e9f40dcad9703a72f67cf615ff217b5 +# but previous versions seem to allow parsing, working and ignoring it. + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework +setupenvironment +configarchitecture 'amd64' + +insertpackage 'unstable' 'foo' 'all' '1' +setupaptarchive + +aptget update -o Dir=./apt -- cgit v1.2.3-70-g09d2