"Fossies" - the Fresh Open Source Software Archive

Member "apt-1.9.4/test/integration/test-cve-2019-3462-Release.gpg-payload" (19 Sep 2019, 1030 Bytes) of package /linux/misc/apt-1.9.4.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 #!/bin/sh
    2 set -e
    3 
    4 # This is not covered by the CVE and harmless by itself, but used in
    5 # the exploit and while harmless it is also pointless to allow it
    6 
    7 TESTDIR="$(readlink -f "$(dirname "$0")")"
    8 . "$TESTDIR/framework"
    9 
   10 setupenvironment
   11 configarchitecture 'amd64'
   12 
   13 export APT_DONT_SIGN='InRelease'
   14 
   15 insertpackage 'unstable' 'foo' 'all' '1'
   16 setupaptarchive
   17 rm -rf rootdir/var/lib/apt/lists
   18 
   19 verify() {
   20     testfailure apt update
   21     testsuccess grep '^  Detached signature file' rootdir/tmp/testfailure.output
   22     testfailure apt show foo
   23 }
   24 
   25 msgmsg 'Payload after detached signature'
   26 find aptarchive -name 'Release.gpg' | while read FILE; do
   27     cp -a "$FILE" "${FILE}.bak"
   28     echo "evil payload" >> "$FILE"
   29 done
   30 verify
   31 
   32 msgmsg 'Payload in-between detached signatures'
   33 find aptarchive -name 'Release.gpg' | while read FILE; do
   34     cat "${FILE}.bak" >> "$FILE"
   35 done
   36 verify
   37 
   38 msgmsg 'Payload before detached signature'
   39 find aptarchive -name 'Release.gpg' | while read FILE; do
   40     echo "evil payload" > "$FILE"
   41     cat "${FILE}.bak" >> "$FILE"
   42 done
   43 verify