blob: fd0f9671331faabd5ac069b3dfa80ede3e5c3609 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
#!/bin/sh
set -e
# This is not covered by the CVE and harmless by itself, but used in
# the exploit and while harmless it is also pointless to allow it
TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"
setupenvironment
configarchitecture 'amd64'
export APT_DONT_SIGN='InRelease'
insertpackage 'unstable' 'foo' 'all' '1'
setupaptarchive
rm -rf rootdir/var/lib/apt/lists
verify() {
testfailure apt update
testsuccess grep '^ Detached signature file' rootdir/tmp/testfailure.output
testfailure apt show foo
}
msgmsg 'Payload after detached signature'
find aptarchive -name 'Release.gpg' | while read FILE; do
cp -a "$FILE" "${FILE}.bak"
echo "evil payload" >> "$FILE"
done
verify
msgmsg 'Payload in-between detached signatures'
find aptarchive -name 'Release.gpg' | while read FILE; do
cat "${FILE}.bak" >> "$FILE"
done
verify
msgmsg 'Payload before detached signature'
find aptarchive -name 'Release.gpg' | while read FILE; do
echo "evil payload" > "$FILE"
cat "${FILE}.bak" >> "$FILE"
done
verify
|
