apt: fix for CVE-2014-0478
APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0478 (From OE-Core rev: 3dd692fcf2b0c11731b3f30abdf2b1878458a898) Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Chong Lu
Richard Purdie
parent
202ae5af74
commit
6a30031708
|
|
@ -0,0 +1,193 @@
|
|||
This patch comes from:
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=73;filename=apt_0.9.7.9%2Bdeb7u2.debdiff;att=1;bug=749795
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
|
||||
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
|
||||
|
||||
diff -uarN apt-0.9.9.4-org/cmdline/apt-get.cc apt-0.9.9.4/cmdline/apt-get.cc
|
||||
--- apt-0.9.9.4-org/cmdline/apt-get.cc 2014-08-29 15:37:42.587156134 +0800
|
||||
+++ apt-0.9.9.4/cmdline/apt-get.cc 2014-08-29 15:51:16.672334086 +0800
|
||||
@@ -1046,25 +1046,8 @@
|
||||
return true;
|
||||
}
|
||||
/*}}}*/
|
||||
-// CheckAuth - check if each download comes form a trusted source /*{{{*/
|
||||
-// ---------------------------------------------------------------------
|
||||
-/* */
|
||||
-static bool CheckAuth(pkgAcquire& Fetcher)
|
||||
+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
|
||||
{
|
||||
- string UntrustedList;
|
||||
- for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
|
||||
- {
|
||||
- if (!(*I)->IsTrusted())
|
||||
- {
|
||||
- UntrustedList += string((*I)->ShortDesc()) + " ";
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (UntrustedList == "")
|
||||
- {
|
||||
- return true;
|
||||
- }
|
||||
-
|
||||
ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
|
||||
|
||||
if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
|
||||
@@ -1073,6 +1056,9 @@
|
||||
return true;
|
||||
}
|
||||
|
||||
+ if (PromptUser == false)
|
||||
+ return _error->Error(_("Some packages could not be authenticated"));
|
||||
+
|
||||
if (_config->FindI("quiet",0) < 2
|
||||
&& _config->FindB("APT::Get::Assume-Yes",false) == false)
|
||||
{
|
||||
@@ -1090,6 +1076,28 @@
|
||||
return _error->Error(_("There are problems and -y was used without --force-yes"));
|
||||
}
|
||||
/*}}}*/
|
||||
+// CheckAuth - check if each download comes form a trusted source /*{{{*/
|
||||
+// ---------------------------------------------------------------------
|
||||
+/* */
|
||||
+static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true)
|
||||
+{
|
||||
+ string UntrustedList;
|
||||
+ for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
|
||||
+ {
|
||||
+ if (!(*I)->IsTrusted())
|
||||
+ {
|
||||
+ UntrustedList += string((*I)->ShortDesc()) + " ";
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (UntrustedList == "")
|
||||
+ {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ return AuthPrompt(UntrustedList, PromptUser);
|
||||
+}
|
||||
+
|
||||
// InstallPackages - Actually download and install the packages /*{{{*/
|
||||
// ---------------------------------------------------------------------
|
||||
/* This displays the informative messages describing what is going to
|
||||
@@ -2482,6 +2490,7 @@
|
||||
|
||||
// Load the requestd sources into the fetcher
|
||||
unsigned J = 0;
|
||||
+ std::string UntrustedList;
|
||||
for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
|
||||
{
|
||||
string Src;
|
||||
@@ -2491,7 +2500,10 @@
|
||||
delete[] Dsc;
|
||||
return _error->Error(_("Unable to find a source package for %s"),Src.c_str());
|
||||
}
|
||||
-
|
||||
+
|
||||
+ if (Last->Index().IsTrusted() == false)
|
||||
+ UntrustedList += Src + " ";
|
||||
+
|
||||
string srec = Last->AsStr();
|
||||
string::size_type pos = srec.find("\nVcs-");
|
||||
while (pos != string::npos)
|
||||
@@ -2575,7 +2587,11 @@
|
||||
Last->Index().SourceInfo(*Last,*I),Src);
|
||||
}
|
||||
}
|
||||
-
|
||||
+
|
||||
+ // check authentication status of the source as well
|
||||
+ if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
|
||||
+ return false;
|
||||
+
|
||||
// Display statistics
|
||||
unsigned long long FetchBytes = Fetcher.FetchNeeded();
|
||||
unsigned long long FetchPBytes = Fetcher.PartialPresent();
|
||||
diff -uarN apt-0.9.9.4-org/test/integration/framework apt-0.9.9.4/test/integration/framework
|
||||
--- apt-0.9.9.4-org/test/integration/framework 2014-08-29 15:37:42.623156154 +0800
|
||||
+++ apt-0.9.9.4/test/integration/framework 2014-08-29 15:55:23.592197940 +0800
|
||||
@@ -151,7 +151,7 @@
|
||||
mkdir rootdir aptarchive keys
|
||||
cd rootdir
|
||||
mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d
|
||||
- mkdir -p var/cache var/lib var/log
|
||||
+ mkdir -p var/cache var/lib var/log tmp
|
||||
mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers
|
||||
touch var/lib/dpkg/available
|
||||
mkdir -p usr/lib/apt
|
||||
@@ -910,3 +910,35 @@
|
||||
local IGNORE
|
||||
read IGNORE
|
||||
}
|
||||
+
|
||||
+testsuccess() {
|
||||
+ if [ "$1" = '--nomsg' ]; then
|
||||
+ shift
|
||||
+ else
|
||||
+ msgtest 'Test for successful execution of' "$*"
|
||||
+ fi
|
||||
+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output"
|
||||
+ if $@ >${OUTPUT} 2>&1; then
|
||||
+ msgpass
|
||||
+ else
|
||||
+ echo >&2
|
||||
+ cat >&2 $OUTPUT
|
||||
+ msgfail
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+testfailure() {
|
||||
+ if [ "$1" = '--nomsg' ]; then
|
||||
+ shift
|
||||
+ else
|
||||
+ msgtest 'Test for failure in execution of' "$*"
|
||||
+ fi
|
||||
+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
|
||||
+ if $@ >${OUTPUT} 2>&1; then
|
||||
+ echo >&2
|
||||
+ cat >&2 $OUTPUT
|
||||
+ msgfail
|
||||
+ else
|
||||
+ msgpass
|
||||
+ fi
|
||||
+}
|
||||
diff -uarN apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated apt-0.9.9.4/test/integration/test-apt-get-source-authenticated
|
||||
--- apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated 1970-01-01 08:00:00.000000000 +0800
|
||||
+++ apt-0.9.9.4/test/integration/test-apt-get-source-authenticated 2014-08-29 15:58:06.137156796 +0800
|
||||
@@ -0,0 +1,31 @@
|
||||
+#!/bin/sh
|
||||
+#
|
||||
+# Regression test for debian bug #749795. Ensure that we fail with
|
||||
+# a error if apt-get source foo will download a source that comes
|
||||
+# from a unauthenticated repository
|
||||
+#
|
||||
+set -e
|
||||
+
|
||||
+TESTDIR=$(readlink -f $(dirname $0))
|
||||
+. $TESTDIR/framework
|
||||
+
|
||||
+setupenvironment
|
||||
+configarchitecture "i386"
|
||||
+
|
||||
+# a "normal" package with source and binary
|
||||
+buildsimplenativepackage 'foo' 'all' '2.0'
|
||||
+
|
||||
+setupaptarchive --no-update
|
||||
+
|
||||
+APTARCHIVE=$(readlink -f ./aptarchive)
|
||||
+rm -f $APTARCHIVE/dists/unstable/*Release*
|
||||
+
|
||||
+# update without authenticated InRelease file
|
||||
+testsuccess aptget update
|
||||
+
|
||||
+# this all should fail
|
||||
+testfailure aptget install -y foo
|
||||
+testfailure aptget source foo
|
||||
+
|
||||
+# allow overriding the warning
|
||||
+testsuccess aptget source --allow-unauthenticated foo
|
||||
|
|
@ -11,6 +11,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/apt_${PV}.tar.gz \
|
|||
file://truncate-filename.patch \
|
||||
file://nodoc.patch \
|
||||
file://disable-configure-in-makefile.patch \
|
||||
file://apt-0.9.9.4-CVE-2014-0478.patch \
|
||||
"
|
||||
|
||||
inherit autotools gettext
|
||||
|
|
|
|||
Loading…
Reference in New Issue