You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

test-cve-2013-1051-InRelease-parsing 3.1 KiB

support arch:all data e.g. in separate Packages file Based on a discussion with Niels Thykier who asked for Contents-all this implements apt trying for all architecture dependent files to get a file for the architecture all, which is treated internally now as an official architecture which is always around (like native). This way arch:all data can be shared instead of duplicated for each architecture requiring the user to download the same information again and again. There is one problem however: In Debian there is already a binary-all/ Packages file, but the binary-any files still include arch:all packages, so that downloading this file now would be a waste of time, bandwidth and diskspace. We therefore need a way to decide if it makes sense to download the all file for Packages in Debian or not. The obvious answer would be a special flag in the Release file indicating this, which would need to default to 'no' and every reasonable repository would override it to 'yes' in a few years time, but the flag would be there "forever". Looking closer at a Release file we see the field "Architectures", which doesn't include 'all' at the moment. With the idea outlined above that 'all' is a "proper" architecture now, we interpret this field as being authoritative in declaring which architectures are supported by this repository. If it says 'all', apt will try to get all, if not it will be skipped. This gives us another interesting feature: If I configure a source to download armel and mips, but it declares it supports only armel apt will now print a notice saying as much. Previously this was a very cryptic failure. If on the other hand the repository supports mips, too, but for some reason doesn't ship mips packages at the moment, this 'missing' file is silently ignored (= that is the same as the repository including an empty file). The Architectures field isn't mandatory through, so if it isn't there, we assume that every architecture is supported by this repository, which skips the arch:all if not listed in the release file.
5 years ago
support arch:all data e.g. in separate Packages file Based on a discussion with Niels Thykier who asked for Contents-all this implements apt trying for all architecture dependent files to get a file for the architecture all, which is treated internally now as an official architecture which is always around (like native). This way arch:all data can be shared instead of duplicated for each architecture requiring the user to download the same information again and again. There is one problem however: In Debian there is already a binary-all/ Packages file, but the binary-any files still include arch:all packages, so that downloading this file now would be a waste of time, bandwidth and diskspace. We therefore need a way to decide if it makes sense to download the all file for Packages in Debian or not. The obvious answer would be a special flag in the Release file indicating this, which would need to default to 'no' and every reasonable repository would override it to 'yes' in a few years time, but the flag would be there "forever". Looking closer at a Release file we see the field "Architectures", which doesn't include 'all' at the moment. With the idea outlined above that 'all' is a "proper" architecture now, we interpret this field as being authoritative in declaring which architectures are supported by this repository. If it says 'all', apt will try to get all, if not it will be skipped. This gives us another interesting feature: If I configure a source to download armel and mips, but it declares it supports only armel apt will now print a notice saying as much. Previously this was a very cryptic failure. If on the other hand the repository supports mips, too, but for some reason doesn't ship mips packages at the moment, this 'missing' file is silently ignored (= that is the same as the repository including an empty file). The Architectures field isn't mandatory through, so if it isn't there, we assume that every architecture is supported by this repository, which skips the arch:all if not listed in the release file.
5 years ago
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture 'i386'
  7. insertpackage 'stable' 'good-pkg' 'all' '1.0'
  8. setupaptarchive
  9. changetowebserver
  10. ARCHIVE="http://localhost:${APTHTTPPORT}"
  11. msgtest 'Initial apt-get update should work with' 'InRelease'
  12. testsuccess --nomsg aptget update
  13. # check that the setup is correct
  14. testsuccessequal "good-pkg:
  15. Installed: (none)
  16. Candidate: 1.0
  17. Version table:
  18. 1.0 500
  19. 500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg
  20. # now exchange to the Packages file, note that this could be
  21. # done via MITM too
  22. insertpackage 'stable' 'bad-mitm' 'all' '1.0'
  23. # this builds compressed files and a new (unsigned) Release
  24. buildaptarchivefromfiles '+1hour'
  25. # add a space into the BEGIN PGP SIGNATURE PART/END PGP SIGNATURE part
  26. # to trick apt - this is still legal to gpg(v)
  27. sed -i '/^-----BEGIN PGP SIGNATURE-----/,/^-----END PGP SIGNATURE-----/ s/^$/ /g' aptarchive/dists/stable/InRelease
  28. # we append the (evil unsigned) Release file to the (good signed) InRelease
  29. cat aptarchive/dists/stable/Release >> aptarchive/dists/stable/InRelease
  30. touch -d '+1hour' aptarchive/dists/stable/InRelease
  31. # ensure the update doesn't load bad data as good data
  32. # Note that we will pick up the InRelease itself as we download no other
  33. # indexes which would trigger a hashsum mismatch, but we ignore the 'bad'
  34. # part of the InRelease
  35. listcurrentlistsdirectory | sed '/_InRelease/ d' > listsdir.lst
  36. msgtest 'apt-get update should ignore unsigned data in the' 'InRelease'
  37. testwarningequal "Get:1 http://localhost:${APTHTTPPORT} stable InRelease [$(stat -c%s aptarchive/dists/stable/InRelease) B]
  38. Err:1 http://localhost:${APTHTTPPORT} stable InRelease
  39. Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
  40. Reading package lists...
  41. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://localhost:${APTHTTPPORT} stable InRelease: Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
  42. W: Failed to fetch http://localhost:${APTHTTPPORT}/dists/stable/InRelease Splitting up ${TMPWORKINGDIRECTORY}/rootdir/var/lib/apt/lists/partial/localhost:${APTHTTPPORT}_dists_stable_InRelease into data and signature failed
  43. W: Some index files failed to download. They have been ignored, or old ones used instead." --nomsg aptget update
  44. testfileequal './listsdir.lst' "$(listcurrentlistsdirectory | sed '/_InRelease/ d')"
  45. # ensure there is no package
  46. testfailureequal 'Reading package lists...
  47. Building dependency tree...
  48. E: Unable to locate package bad-mitm' aptget install bad-mitm -s
  49. # and verify that its not picked up
  50. testsuccessequal 'N: Unable to locate package bad-mitm' aptcache policy bad-mitm
  51. # and that the right one is used
  52. testsuccessequal "good-pkg:
  53. Installed: (none)
  54. Candidate: 1.0
  55. Version table:
  56. 1.0 500
  57. 500 ${ARCHIVE} stable/main all Packages" aptcache policy good-pkg