You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

241 lines
8.6 KiB

  1. #!/bin/sh
  2. #
  3. # ensure we never fallback from a signed to a unsigned repo
  4. #
  5. # hash checks are done in
  6. #
  7. set -e
  8. simulate_mitm_and_inject_evil_package()
  9. {
  10. redatereleasefiles '+1 hour'
  11. rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
  12. inject_evil_package
  13. }
  14. inject_evil_package()
  15. {
  16. cat > "$APTARCHIVE/dists/unstable/main/binary-i386/Packages" <<EOF
  17. Package: evil
  18. Installed-Size: 29
  19. Maintainer: Joe Sixpack <joe@example.org>
  20. Architecture: all
  21. Version: 1.0
  22. Filename: pool/evil_1.0_all.deb
  23. Size: 1270
  24. Description: an autogenerated evil package
  25. EOF
  26. # avoid ims hit
  27. touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages
  28. compressfile aptarchive/dists/unstable/main/binary-i386/Packages
  29. }
  30. assert_update_is_refused_and_last_good_state_used()
  31. {
  32. testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed.
  33. N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  34. N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update
  35. assert_repo_is_intact
  36. }
  37. assert_repo_is_intact()
  38. {
  39. testsuccessequal "foo/unstable 2.0 all" apt list -qq
  40. testsuccess aptget install -y -s foo
  41. testfailure aptget install -y evil
  42. testsuccess aptget source foo --print-uris
  43. LISTDIR=rootdir/var/lib/apt/lists
  44. testempty find "$LISTDIR" -name 'InRelease' -o -name 'Release.gpg'
  45. }
  46. setupaptarchive_with_lists_clean()
  47. {
  48. setupaptarchive --no-update
  49. rm -rf rootdir/var/lib/apt/lists
  50. }
  51. test_from_inrelease_to_unsigned()
  52. {
  53. # setup archive with InRelease file
  54. setupaptarchive_with_lists_clean
  55. testsuccess aptget update
  56. listcurrentlistsdirectory > lists.before
  57. simulate_mitm_and_inject_evil_package
  58. assert_update_is_refused_and_last_good_state_used
  59. testfileequal lists.before "$(listcurrentlistsdirectory)"
  60. }
  61. test_from_release_gpg_to_unsigned()
  62. {
  63. # setup archive with Release/Release.gpg (but no InRelease)
  64. setupaptarchive_with_lists_clean
  65. rm "$APTARCHIVE/dists/unstable/InRelease"
  66. testsuccess aptget update
  67. listcurrentlistsdirectory > lists.before
  68. simulate_mitm_and_inject_evil_package
  69. assert_update_is_refused_and_last_good_state_used
  70. testfileequal lists.before "$(listcurrentlistsdirectory)"
  71. }
  72. test_from_inrelease_to_unsigned_with_override()
  73. {
  74. # setup archive with InRelease file
  75. setupaptarchive_with_lists_clean
  76. testsuccess aptget update
  77. # simulate moving to a unsigned but otherwise valid repo
  78. simulate_mitm_and_inject_evil_package
  79. generatereleasefiles '+2 hours'
  80. find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \;
  81. # and ensure we can update to it (with enough force)
  82. testwarning aptget update --allow-insecure-repositories \
  83. -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1
  84. # but that the individual packages are still considered untrusted
  85. testfailureequal "WARNING: The following packages cannot be authenticated!
  86. evil
  87. E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil
  88. }
  89. test_cve_2012_0214()
  90. {
  91. # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108
  92. #
  93. # it was possible to MITM the download so that InRelease/Release.gpg
  94. # are not delivered (404) and a altered Release file was send
  95. #
  96. # apt left the old InRelease file in /var/lib/apt/lists and downloaded
  97. # the unauthenticated Release file too giving the false impression that
  98. # Release was authenticated
  99. #
  100. # Note that this is pretty much impossible nowadays because:
  101. # a) InRelease is left as is, not split to InRelease/Release as it was
  102. # in the old days
  103. # b) we refuse to go from signed->unsigned
  104. #
  105. # Still worth having a regression test the simulates the condition
  106. # setup archive with InRelease
  107. setupaptarchive_with_lists_clean
  108. testsuccess aptget update
  109. listcurrentlistsdirectory > lists.before
  110. # do what CVE-2012-0214 did
  111. rm "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
  112. inject_evil_package
  113. # build valid Release file
  114. aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release
  115. assert_update_is_refused_and_last_good_state_used
  116. testfileequal lists.before "$(listcurrentlistsdirectory)"
  117. # ensure there is no _Release file downloaded
  118. testfailure ls rootdir/var/lib/apt/lists/*_Release
  119. }
  120. test_subvert_inrelease()
  121. {
  122. # setup archive with InRelease
  123. setupaptarchive_with_lists_clean
  124. testsuccess aptget update
  125. listcurrentlistsdirectory > lists.before
  126. # replace InRelease with something else
  127. mv "$APTARCHIVE/dists/unstable/Release" "$APTARCHIVE/dists/unstable/InRelease"
  128. testfailuremsg "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
  129. E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update
  130. # ensure we keep the repo
  131. testfileequal lists.before "$(listcurrentlistsdirectory)"
  132. assert_repo_is_intact
  133. }
  134. test_inrelease_to_invalid_inrelease()
  135. {
  136. # setup archive with InRelease
  137. setupaptarchive_with_lists_clean
  138. testsuccess aptget update
  139. listcurrentlistsdirectory > lists.before
  140. # now remove InRelease and subvert Release do no longer verify
  141. sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease"
  142. inject_evil_package
  143. testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
  144. W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
  145. W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  146. # ensure we keep the repo
  147. testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease
  148. testfileequal lists.before "$(listcurrentlistsdirectory)"
  149. assert_repo_is_intact
  150. }
  151. test_release_gpg_to_invalid_release_release_gpg()
  152. {
  153. # setup archive with InRelease
  154. setupaptarchive_with_lists_clean
  155. rm "$APTARCHIVE/dists/unstable/InRelease"
  156. testsuccess aptget update
  157. listcurrentlistsdirectory > lists.before
  158. # now subvert Release do no longer verify
  159. echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release"
  160. inject_evil_package
  161. testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
  162. W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
  163. W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  164. testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release
  165. testfileequal lists.before "$(listcurrentlistsdirectory)"
  166. assert_repo_is_intact
  167. }
  168. TESTDIR="$(readlink -f "$(dirname "$0")")"
  169. . "$TESTDIR/framework"
  170. setupenvironment
  171. configarchitecture "i386"
  172. # a "normal" package with source and binary
  173. buildsimplenativepackage 'foo' 'all' '2.0'
  174. # setup the archive and ensure we have a single package that installs fine
  175. setupaptarchive
  176. APTARCHIVE="$(readlink -f ./aptarchive)"
  177. assert_repo_is_intact
  178. # test the various cases where a repo may go from signed->unsigned
  179. msgmsg "test_from_inrelease_to_unsigned"
  180. test_from_inrelease_to_unsigned
  181. msgmsg "test_from_release_gpg_to_unsigned"
  182. test_from_release_gpg_to_unsigned
  183. # ensure we do not regress on CVE-2012-0214
  184. msgmsg "test_cve_2012_0214"
  185. test_cve_2012_0214
  186. # ensure InRelease can not be subverted
  187. msgmsg "test_subvert_inrelease"
  188. test_subvert_inrelease
  189. # ensure we revert to last good state if InRelease does not verify
  190. msgmsg "test_inrelease_to_invalid_inrelease"
  191. test_inrelease_to_invalid_inrelease
  192. # ensure we revert to last good state if Release/Release.gpg does not verify
  193. msgmsg "test_release_gpg_to_invalid_release_release_gpg"
  194. test_release_gpg_to_invalid_release_release_gpg
  195. # ensure we can override the downgrade error
  196. msgmsg "test_from_inrelease_to_unsigned_with_override"
  197. test_from_inrelease_to_unsigned_with_override