summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch')
-rw-r--r--meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch193
1 files changed, 193 insertions, 0 deletions
diff --git a/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch
new file mode 100644
index 0000000000..79a6897572
--- /dev/null
+++ b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch
@@ -0,0 +1,193 @@
1This patch comes from:
2https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=73;filename=apt_0.9.7.9%2Bdeb7u2.debdiff;att=1;bug=749795
3
4Upstream-Status: Backport
5
6Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
7Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
8
9diff -uarN apt-0.9.9.4-org/cmdline/apt-get.cc apt-0.9.9.4/cmdline/apt-get.cc
10--- apt-0.9.9.4-org/cmdline/apt-get.cc 2014-08-29 15:37:42.587156134 +0800
11+++ apt-0.9.9.4/cmdline/apt-get.cc 2014-08-29 15:51:16.672334086 +0800
12@@ -1046,25 +1046,8 @@
13 return true;
14 }
15 /*}}}*/
16-// CheckAuth - check if each download comes form a trusted source /*{{{*/
17-// ---------------------------------------------------------------------
18-/* */
19-static bool CheckAuth(pkgAcquire& Fetcher)
20+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
21 {
22- string UntrustedList;
23- for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
24- {
25- if (!(*I)->IsTrusted())
26- {
27- UntrustedList += string((*I)->ShortDesc()) + " ";
28- }
29- }
30-
31- if (UntrustedList == "")
32- {
33- return true;
34- }
35-
36 ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
37
38 if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
39@@ -1073,6 +1056,9 @@
40 return true;
41 }
42
43+ if (PromptUser == false)
44+ return _error->Error(_("Some packages could not be authenticated"));
45+
46 if (_config->FindI("quiet",0) < 2
47 && _config->FindB("APT::Get::Assume-Yes",false) == false)
48 {
49@@ -1090,6 +1076,28 @@
50 return _error->Error(_("There are problems and -y was used without --force-yes"));
51 }
52 /*}}}*/
53+// CheckAuth - check if each download comes form a trusted source /*{{{*/
54+// ---------------------------------------------------------------------
55+/* */
56+static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true)
57+{
58+ string UntrustedList;
59+ for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
60+ {
61+ if (!(*I)->IsTrusted())
62+ {
63+ UntrustedList += string((*I)->ShortDesc()) + " ";
64+ }
65+ }
66+
67+ if (UntrustedList == "")
68+ {
69+ return true;
70+ }
71+
72+ return AuthPrompt(UntrustedList, PromptUser);
73+}
74+
75 // InstallPackages - Actually download and install the packages /*{{{*/
76 // ---------------------------------------------------------------------
77 /* This displays the informative messages describing what is going to
78@@ -2482,6 +2490,7 @@
79
80 // Load the requestd sources into the fetcher
81 unsigned J = 0;
82+ std::string UntrustedList;
83 for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
84 {
85 string Src;
86@@ -2491,7 +2500,10 @@
87 delete[] Dsc;
88 return _error->Error(_("Unable to find a source package for %s"),Src.c_str());
89 }
90-
91+
92+ if (Last->Index().IsTrusted() == false)
93+ UntrustedList += Src + " ";
94+
95 string srec = Last->AsStr();
96 string::size_type pos = srec.find("\nVcs-");
97 while (pos != string::npos)
98@@ -2575,7 +2587,11 @@
99 Last->Index().SourceInfo(*Last,*I),Src);
100 }
101 }
102-
103+
104+ // check authentication status of the source as well
105+ if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
106+ return false;
107+
108 // Display statistics
109 unsigned long long FetchBytes = Fetcher.FetchNeeded();
110 unsigned long long FetchPBytes = Fetcher.PartialPresent();
111diff -uarN apt-0.9.9.4-org/test/integration/framework apt-0.9.9.4/test/integration/framework
112--- apt-0.9.9.4-org/test/integration/framework 2014-08-29 15:37:42.623156154 +0800
113+++ apt-0.9.9.4/test/integration/framework 2014-08-29 15:55:23.592197940 +0800
114@@ -151,7 +151,7 @@
115 mkdir rootdir aptarchive keys
116 cd rootdir
117 mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d
118- mkdir -p var/cache var/lib var/log
119+ mkdir -p var/cache var/lib var/log tmp
120 mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers
121 touch var/lib/dpkg/available
122 mkdir -p usr/lib/apt
123@@ -910,3 +910,35 @@
124 local IGNORE
125 read IGNORE
126 }
127+
128+testsuccess() {
129+ if [ "$1" = '--nomsg' ]; then
130+ shift
131+ else
132+ msgtest 'Test for successful execution of' "$*"
133+ fi
134+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output"
135+ if $@ >${OUTPUT} 2>&1; then
136+ msgpass
137+ else
138+ echo >&2
139+ cat >&2 $OUTPUT
140+ msgfail
141+ fi
142+}
143+
144+testfailure() {
145+ if [ "$1" = '--nomsg' ]; then
146+ shift
147+ else
148+ msgtest 'Test for failure in execution of' "$*"
149+ fi
150+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
151+ if $@ >${OUTPUT} 2>&1; then
152+ echo >&2
153+ cat >&2 $OUTPUT
154+ msgfail
155+ else
156+ msgpass
157+ fi
158+}
159diff -uarN apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated apt-0.9.9.4/test/integration/test-apt-get-source-authenticated
160--- apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated 1970-01-01 08:00:00.000000000 +0800
161+++ apt-0.9.9.4/test/integration/test-apt-get-source-authenticated 2014-08-29 15:58:06.137156796 +0800
162@@ -0,0 +1,31 @@
163+#!/bin/sh
164+#
165+# Regression test for debian bug #749795. Ensure that we fail with
166+# a error if apt-get source foo will download a source that comes
167+# from a unauthenticated repository
168+#
169+set -e
170+
171+TESTDIR=$(readlink -f $(dirname $0))
172+. $TESTDIR/framework
173+
174+setupenvironment
175+configarchitecture "i386"
176+
177+# a "normal" package with source and binary
178+buildsimplenativepackage 'foo' 'all' '2.0'
179+
180+setupaptarchive --no-update
181+
182+APTARCHIVE=$(readlink -f ./aptarchive)
183+rm -f $APTARCHIVE/dists/unstable/*Release*
184+
185+# update without authenticated InRelease file
186+testsuccess aptget update
187+
188+# this all should fail
189+testfailure aptget install -y foo
190+testfailure aptget source foo
191+
192+# allow overriding the warning
193+testsuccess aptget source --allow-unauthenticated foo