From 6a300317086e1422953abdd5825680b216c2c211 Mon Sep 17 00:00:00 2001 From: Chong Lu Date: Fri, 26 Sep 2014 09:49:19 +0800 Subject: apt: fix for CVE-2014-0478 APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0478 (From OE-Core rev: 3dd692fcf2b0c11731b3f30abdf2b1878458a898) Signed-off-by: Wenlin Kang Signed-off-by: Chong Lu Signed-off-by: Richard Purdie --- .../apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch | 193 +++++++++++++++++++++ meta/recipes-devtools/apt/apt.inc | 1 + 2 files changed, 194 insertions(+) create mode 100644 meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch (limited to 'meta/recipes-devtools/apt') diff --git a/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch new file mode 100644 index 0000000..79a6897 --- /dev/null +++ b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch @@ -0,0 +1,193 @@ +This patch comes from: +https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=73;filename=apt_0.9.7.9%2Bdeb7u2.debdiff;att=1;bug=749795 + +Upstream-Status: Backport + +Signed-off-by: Wenlin Kang +Signed-off-by: Chong Lu + +diff -uarN apt-0.9.9.4-org/cmdline/apt-get.cc apt-0.9.9.4/cmdline/apt-get.cc +--- apt-0.9.9.4-org/cmdline/apt-get.cc 2014-08-29 15:37:42.587156134 +0800 ++++ apt-0.9.9.4/cmdline/apt-get.cc 2014-08-29 15:51:16.672334086 +0800 +@@ -1046,25 +1046,8 @@ + return true; + } + /*}}}*/ +-// CheckAuth - check if each download comes form a trusted source /*{{{*/ +-// --------------------------------------------------------------------- +-/* */ +-static bool CheckAuth(pkgAcquire& Fetcher) ++static bool AuthPrompt(std::string UntrustedList, bool const PromptUser) + { +- string UntrustedList; +- for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) +- { +- if (!(*I)->IsTrusted()) +- { +- UntrustedList += string((*I)->ShortDesc()) + " "; +- } +- } +- +- if (UntrustedList == "") +- { +- return true; +- } +- + ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,""); + + if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true) +@@ -1073,6 +1056,9 @@ + return true; + } + ++ if (PromptUser == false) ++ return _error->Error(_("Some packages could not be authenticated")); ++ + if (_config->FindI("quiet",0) < 2 + && _config->FindB("APT::Get::Assume-Yes",false) == false) + { +@@ -1090,6 +1076,28 @@ + return _error->Error(_("There are problems and -y was used without --force-yes")); + } + /*}}}*/ ++// CheckAuth - check if each download comes form a trusted source /*{{{*/ ++// --------------------------------------------------------------------- ++/* */ ++static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true) ++{ ++ string UntrustedList; ++ for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) ++ { ++ if (!(*I)->IsTrusted()) ++ { ++ UntrustedList += string((*I)->ShortDesc()) + " "; ++ } ++ } ++ ++ if (UntrustedList == "") ++ { ++ return true; ++ } ++ ++ return AuthPrompt(UntrustedList, PromptUser); ++} ++ + // InstallPackages - Actually download and install the packages /*{{{*/ + // --------------------------------------------------------------------- + /* This displays the informative messages describing what is going to +@@ -2482,6 +2490,7 @@ + + // Load the requestd sources into the fetcher + unsigned J = 0; ++ std::string UntrustedList; + for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) + { + string Src; +@@ -2491,7 +2500,10 @@ + delete[] Dsc; + return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); + } +- ++ ++ if (Last->Index().IsTrusted() == false) ++ UntrustedList += Src + " "; ++ + string srec = Last->AsStr(); + string::size_type pos = srec.find("\nVcs-"); + while (pos != string::npos) +@@ -2575,7 +2587,11 @@ + Last->Index().SourceInfo(*Last,*I),Src); + } + } +- ++ ++ // check authentication status of the source as well ++ if (UntrustedList != "" && !AuthPrompt(UntrustedList, false)) ++ return false; ++ + // Display statistics + unsigned long long FetchBytes = Fetcher.FetchNeeded(); + unsigned long long FetchPBytes = Fetcher.PartialPresent(); +diff -uarN apt-0.9.9.4-org/test/integration/framework apt-0.9.9.4/test/integration/framework +--- apt-0.9.9.4-org/test/integration/framework 2014-08-29 15:37:42.623156154 +0800 ++++ apt-0.9.9.4/test/integration/framework 2014-08-29 15:55:23.592197940 +0800 +@@ -151,7 +151,7 @@ + mkdir rootdir aptarchive keys + cd rootdir + mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d +- mkdir -p var/cache var/lib var/log ++ mkdir -p var/cache var/lib var/log tmp + mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers + touch var/lib/dpkg/available + mkdir -p usr/lib/apt +@@ -910,3 +910,35 @@ + local IGNORE + read IGNORE + } ++ ++testsuccess() { ++ if [ "$1" = '--nomsg' ]; then ++ shift ++ else ++ msgtest 'Test for successful execution of' "$*" ++ fi ++ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output" ++ if $@ >${OUTPUT} 2>&1; then ++ msgpass ++ else ++ echo >&2 ++ cat >&2 $OUTPUT ++ msgfail ++ fi ++} ++ ++testfailure() { ++ if [ "$1" = '--nomsg' ]; then ++ shift ++ else ++ msgtest 'Test for failure in execution of' "$*" ++ fi ++ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" ++ if $@ >${OUTPUT} 2>&1; then ++ echo >&2 ++ cat >&2 $OUTPUT ++ msgfail ++ else ++ msgpass ++ fi ++} +diff -uarN apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated apt-0.9.9.4/test/integration/test-apt-get-source-authenticated +--- apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated 1970-01-01 08:00:00.000000000 +0800 ++++ apt-0.9.9.4/test/integration/test-apt-get-source-authenticated 2014-08-29 15:58:06.137156796 +0800 +@@ -0,0 +1,31 @@ ++#!/bin/sh ++# ++# Regression test for debian bug #749795. Ensure that we fail with ++# a error if apt-get source foo will download a source that comes ++# from a unauthenticated repository ++# ++set -e ++ ++TESTDIR=$(readlink -f $(dirname $0)) ++. $TESTDIR/framework ++ ++setupenvironment ++configarchitecture "i386" ++ ++# a "normal" package with source and binary ++buildsimplenativepackage 'foo' 'all' '2.0' ++ ++setupaptarchive --no-update ++ ++APTARCHIVE=$(readlink -f ./aptarchive) ++rm -f $APTARCHIVE/dists/unstable/*Release* ++ ++# update without authenticated InRelease file ++testsuccess aptget update ++ ++# this all should fail ++testfailure aptget install -y foo ++testfailure aptget source foo ++ ++# allow overriding the warning ++testsuccess aptget source --allow-unauthenticated foo diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc index b528c00..378021a 100644 --- a/meta/recipes-devtools/apt/apt.inc +++ b/meta/recipes-devtools/apt/apt.inc @@ -11,6 +11,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/apt_${PV}.tar.gz \ file://truncate-filename.patch \ file://nodoc.patch \ file://disable-configure-in-makefile.patch \ + file://apt-0.9.9.4-CVE-2014-0478.patch \ " inherit autotools gettext -- cgit v1.1