only warn about missing/invalid Date field for now

The Date field in the Release file is useful to avoid allowing an attacker to 'downgrade' a user to earlier Release files (and hence to older states of the archieve with open security bugs). It is also needed to allow a user to define min/max values for the validation of a Release file (with or without the Release file providing a Valid-Until field). APT wasn't formally requiring this field before through and (agrueable not binding and still incomplete) online documentation declares it optional (until now), so we downgrade the error to a warning for now to give repository creators a bit more time to adapt – the bigger ones should have a Date field for years already, so the effected group should be small in any case. It should be noted that earlier apt versions had this as an error already, but only showed it if a Valid-Until field was present (or the user tried to used the configuration items for min/max valid-until). Closes: 809329
5 years ago · 6fc2e03084
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -442,9 +442,8 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
   std::string const StrDate = Section.FindS("Date");
   if (RFC1123StrToTime(StrDate.c_str(), Date) == false)
   {
      if (ErrorText != NULL)
 	 strprintf(*ErrorText, _("Invalid 'Date' entry in Release file %s"), Filename.c_str());
      return false;
      _error->Warning( _("Invalid 'Date' entry in Release file %s"), Filename.c_str());
      Date = 0;
   }

   bool CheckValidUntil = _config->FindB("Acquire::Check-Valid-Until", true);
@@ -484,15 +483,18 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
 	    MinAge = _config->FindI(("Acquire::Min-ValidTime::" + Label).c_str(), MinAge);
      }

      if (MinAge != 0 && ValidUntil != 0) {
 	 time_t const min_date = Date + MinAge;
 	 if (ValidUntil < min_date)
 	    ValidUntil = min_date;
      }
      if (MaxAge != 0) {
 	 time_t const max_date = Date + MaxAge;
 	 if (ValidUntil == 0 || ValidUntil > max_date)
 	    ValidUntil = max_date;
      if (MinAge != 0 || ValidUntil != 0 || MaxAge != 0)
      {
 	 if (MinAge != 0 && ValidUntil != 0) {
 	    time_t const min_date = Date + MinAge;
 	    if (ValidUntil < min_date)
 	       ValidUntil = min_date;
 	 }
 	 if (MaxAge != 0 && Date != 0) {
 	    time_t const max_date = Date + MaxAge;
 	    if (ValidUntil == 0 || ValidUntil > max_date)
 	       ValidUntil = max_date;
 	 }
      }
   }

--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1522,6 +1522,14 @@ msgfailoutput() {
 			msgfailoutputstatfile "$2" "$3"
 		done
 		echo '#### test output ####'
 	elif [ "$1" = 'cmp' ]; then
 		echo >&2
 		while [ -n "$2" ]; do
 			echo "#### Complete file: $2 ####"
 			cat >&2 "$2" || true
 			shift
 		done
 		echo '#### cmp output ####'
 	fi
 	cat >&2 "$OUTPUT"
 	msgfail "$MSG"
--- a/test/integration/test-releasefile-date-older
+++ b/test/integration/test-releasefile-date-older
@@ -60,3 +60,42 @@ redatereleasefiles 'now - 2 days'
 find aptarchive -name 'Release.gpg' -delete
 testsuccess aptget update
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"

 msgmsg 'Release file has' 'no Date and no Valid-Until field'
 rm -rf rootdir/var/lib/apt/lists
 generatereleasefiles 'now'
 sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
 signreleasefiles
 testwarning aptget update
 listcurrentlistsdirectory > listsdir.lst
 # have no effect as Date is unknown
 testwarning aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 testwarning aptget update -o Acquire::Max-ValidTime=1
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 sed -i '/^Codename: / a\
 Another-Field: yes' $(find aptarchive/ -name 'Release')
 touch -d 'now + 1 day' $(find aptarchive/ -name 'Release')
 signreleasefiles "${2:-Joe Sixpack}"
 testwarning aptget update
 testsuccess cmp $(find aptarchive/ -name 'InRelease')  $(find rootdir/var/lib/apt/ -name '*_InRelease')

 msgmsg 'Release file has' 'no Date field, but Valid-Until expired'
 rm -rf rootdir/var/lib/apt/lists
 generatereleasefiles 'now' 'now - 2 days'
 sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
 signreleasefiles
 testfailure aptget update
 listcurrentlistsdirectory > listsdir.lst
 # have no effect as Date is unknown
 testfailure aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 testfailure aptget update -o Acquire::Max-ValidTime=1
 testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"

 msgmsg 'Release file has' 'no Date field, but Valid-Until is good'
 rm -rf rootdir/var/lib/apt/lists
 generatereleasefiles 'now' 'now + 2 days'
 sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
 signreleasefiles
 testwarning aptget update