only warn about missing/invalid Date field for now

The Date field in the Release file is useful to avoid allowing an attacker to 'downgrade' a user to earlier Release files (and hence to older states of the archieve with open security bugs). It is also needed to allow a user to define min/max values for the validation of a Release file (with or without the Release file providing a Valid-Until field). APT wasn't formally requiring this field before through and (agrueable not binding and still incomplete) online documentation declares it optional (until now), so we downgrade the error to a warning for now to give repository creators a bit more time to adapt – the bigger ones should have a Date field for years already, so the effected group should be small in any case. It should be noted that earlier apt versions had this as an error already, but only showed it if a Valid-Until field was present (or the user tried to used the configuration items for min/max valid-until). Closes: 809329
7 years ago · 6fc2e03084
3 changed files with 61 additions and 12 deletions
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@ -442,9 +442,8 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
   std::string const StrDate = Section.FindS("Date");
   if (RFC1123StrToTime(StrDate.c_str(), Date) == false)
   {
-      if (ErrorText != NULL)
-	 strprintf(*ErrorText, _("Invalid 'Date' entry in Release file %s"), Filename.c_str());
-      return false;
+      _error->Warning( _("Invalid 'Date' entry in Release file %s"), Filename.c_str());
+      Date = 0;
   }

   bool CheckValidUntil = _config->FindB("Acquire::Check-Valid-Until", true);
@ -484,15 +483,18 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
 	    MinAge = _config->FindI(("Acquire::Min-ValidTime::" + Label).c_str(), MinAge);
      }

-      if (MinAge != 0 && ValidUntil != 0) {
-	 time_t const min_date = Date + MinAge;
-	 if (ValidUntil < min_date)
-	    ValidUntil = min_date;
-      }
-      if (MaxAge != 0) {
-	 time_t const max_date = Date + MaxAge;
-	 if (ValidUntil == 0 || ValidUntil > max_date)
-	    ValidUntil = max_date;
+      if (MinAge != 0 || ValidUntil != 0 || MaxAge != 0)
+      {
+	 if (MinAge != 0 && ValidUntil != 0) {
+	    time_t const min_date = Date + MinAge;
+	    if (ValidUntil < min_date)
+	       ValidUntil = min_date;
+	 }
+	 if (MaxAge != 0 && Date != 0) {
+	    time_t const max_date = Date + MaxAge;
+	    if (ValidUntil == 0 || ValidUntil > max_date)
+	       ValidUntil = max_date;
+	 }
      }
   }

--- a/test/integration/framework
+++ b/test/integration/framework
@ -1522,6 +1522,14 @@ msgfailoutput() {
 			msgfailoutputstatfile "$2" "$3"
 		done
 		echo '#### test output ####'
+	elif [ "$1" = 'cmp' ]; then
+		echo >&2
+		while [ -n "$2" ]; do
+			echo "#### Complete file: $2 ####"
+			cat >&2 "$2" || true
+			shift
+		done
+		echo '#### cmp output ####'
 	fi
 	cat >&2 "$OUTPUT"
 	msgfail "$MSG"
--- a/test/integration/test-releasefile-date-older
+++ b/test/integration/test-releasefile-date-older
@ -60,3 +60,42 @@ redatereleasefiles 'now - 2 days'
 find aptarchive -name 'Release.gpg' -delete
 testsuccess aptget update
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release file has' 'no Date and no Valid-Until field'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testwarning aptget update
+listcurrentlistsdirectory > listsdir.lst
+# have no effect as Date is unknown
+testwarning aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testwarning aptget update -o Acquire::Max-ValidTime=1
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+sed -i '/^Codename: / a\
+Another-Field: yes' $(find aptarchive/ -name 'Release')
+touch -d 'now + 1 day' $(find aptarchive/ -name 'Release')
+signreleasefiles "${2:-Joe Sixpack}"
+testwarning aptget update
+testsuccess cmp $(find aptarchive/ -name 'InRelease')  $(find rootdir/var/lib/apt/ -name '*_InRelease')
+
+msgmsg 'Release file has' 'no Date field, but Valid-Until expired'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now - 2 days'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testfailure aptget update
+listcurrentlistsdirectory > listsdir.lst
+# have no effect as Date is unknown
+testfailure aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testfailure aptget update -o Acquire::Max-ValidTime=1
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release file has' 'no Date field, but Valid-Until is good'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 2 days'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testwarning aptget update