diff options
| author | Chong Lu <Chong.Lu@windriver.com> | 2014-09-26 09:49:19 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-09-29 17:49:10 +0100 |
| commit | 3dd692fcf2b0c11731b3f30abdf2b1878458a898 (patch) | |
| tree | 5b0bb9632a200f53d99d96de67d056d50522d5c5 | |
| parent | a414b17e1d783ad68a2d0f7d5922967449c05797 (diff) | |
| download | openembedded-core-3dd692fcf2b0c11731b3f30abdf2b1878458a898.tar.gz openembedded-core-3dd692fcf2b0c11731b3f30abdf2b1878458a898.tar.bz2 openembedded-core-3dd692fcf2b0c11731b3f30abdf2b1878458a898.zip | |
apt: fix for CVE-2014-0478
APT before 1.0.4 does not properly validate source packages, which allows
man-in-the-middle attackers to download and install Trojan horse packages
by removing the Release signature.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0478
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
| -rw-r--r-- | meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch | 193 | ||||
| -rw-r--r-- | meta/recipes-devtools/apt/apt.inc | 1 |
2 files changed, 194 insertions, 0 deletions
diff --git a/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch new file mode 100644 index 0000000000..79a6897572 --- /dev/null +++ b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch @@ -0,0 +1,193 @@ +This patch comes from: +https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=73;filename=apt_0.9.7.9%2Bdeb7u2.debdiff;att=1;bug=749795 + +Upstream-Status: Backport + +Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> +Signed-off-by: Chong Lu <Chong.Lu@windriver.com> + +diff -uarN apt-0.9.9.4-org/cmdline/apt-get.cc apt-0.9.9.4/cmdline/apt-get.cc +--- apt-0.9.9.4-org/cmdline/apt-get.cc 2014-08-29 15:37:42.587156134 +0800 ++++ apt-0.9.9.4/cmdline/apt-get.cc 2014-08-29 15:51:16.672334086 +0800 +@@ -1046,25 +1046,8 @@ + return true; + } + /*}}}*/ +-// CheckAuth - check if each download comes form a trusted source /*{{{*/ +-// --------------------------------------------------------------------- +-/* */ +-static bool CheckAuth(pkgAcquire& Fetcher) ++static bool AuthPrompt(std::string UntrustedList, bool const PromptUser) + { +- string UntrustedList; +- for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) +- { +- if (!(*I)->IsTrusted()) +- { +- UntrustedList += string((*I)->ShortDesc()) + " "; +- } +- } +- +- if (UntrustedList == "") +- { +- return true; +- } +- + ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,""); + + if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true) +@@ -1073,6 +1056,9 @@ + return true; + } + ++ if (PromptUser == false) ++ return _error->Error(_("Some packages could not be authenticated")); ++ + if (_config->FindI("quiet",0) < 2 + && _config->FindB("APT::Get::Assume-Yes",false) == false) + { +@@ -1090,6 +1076,28 @@ + return _error->Error(_("There are problems and -y was used without --force-yes")); + } + /*}}}*/ ++// CheckAuth - check if each download comes form a trusted source /*{{{*/ ++// --------------------------------------------------------------------- ++/* */ ++static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true) ++{ ++ string UntrustedList; ++ for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) ++ { ++ if (!(*I)->IsTrusted()) ++ { ++ UntrustedList += string((*I)->ShortDesc()) + " "; ++ } ++ } ++ ++ if (UntrustedList == "") ++ { ++ return true; ++ } ++ ++ return AuthPrompt(UntrustedList, PromptUser); ++} ++ + // InstallPackages - Actually download and install the packages /*{{{*/ + // --------------------------------------------------------------------- + /* This displays the informative messages describing what is going to +@@ -2482,6 +2490,7 @@ + + // Load the requestd sources into the fetcher + unsigned J = 0; ++ std::string UntrustedList; + for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) + { + string Src; +@@ -2491,7 +2500,10 @@ + delete[] Dsc; + return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); + } +- ++ ++ if (Last->Index().IsTrusted() == false) ++ UntrustedList += Src + " "; ++ + string srec = Last->AsStr(); + string::size_type pos = srec.find("\nVcs-"); + while (pos != string::npos) +@@ -2575,7 +2587,11 @@ + Last->Index().SourceInfo(*Last,*I),Src); + } + } +- ++ ++ // check authentication status of the source as well ++ if (UntrustedList != "" && !AuthPrompt(UntrustedList, false)) ++ return false; ++ + // Display statistics + unsigned long long FetchBytes = Fetcher.FetchNeeded(); + unsigned long long FetchPBytes = Fetcher.PartialPresent(); +diff -uarN apt-0.9.9.4-org/test/integration/framework apt-0.9.9.4/test/integration/framework +--- apt-0.9.9.4-org/test/integration/framework 2014-08-29 15:37:42.623156154 +0800 ++++ apt-0.9.9.4/test/integration/framework 2014-08-29 15:55:23.592197940 +0800 +@@ -151,7 +151,7 @@ + mkdir rootdir aptarchive keys + cd rootdir + mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d +- mkdir -p var/cache var/lib var/log ++ mkdir -p var/cache var/lib var/log tmp + mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers + touch var/lib/dpkg/available + mkdir -p usr/lib/apt +@@ -910,3 +910,35 @@ + local IGNORE + read IGNORE + } ++ ++testsuccess() { ++ if [ "$1" = '--nomsg' ]; then ++ shift ++ else ++ msgtest 'Test for successful execution of' "$*" ++ fi ++ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output" ++ if $@ >${OUTPUT} 2>&1; then ++ msgpass ++ else ++ echo >&2 ++ cat >&2 $OUTPUT ++ msgfail ++ fi ++} ++ ++testfailure() { ++ if [ "$1" = '--nomsg' ]; then ++ shift ++ else ++ msgtest 'Test for failure in execution of' "$*" ++ fi ++ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" ++ if $@ >${OUTPUT} 2>&1; then ++ echo >&2 ++ cat >&2 $OUTPUT ++ msgfail ++ else ++ msgpass ++ fi ++} +diff -uarN apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated apt-0.9.9.4/test/integration/test-apt-get-source-authenticated +--- apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated 1970-01-01 08:00:00.000000000 +0800 ++++ apt-0.9.9.4/test/integration/test-apt-get-source-authenticated 2014-08-29 15:58:06.137156796 +0800 +@@ -0,0 +1,31 @@ ++#!/bin/sh ++# ++# Regression test for debian bug #749795. Ensure that we fail with ++# a error if apt-get source foo will download a source that comes ++# from a unauthenticated repository ++# ++set -e ++ ++TESTDIR=$(readlink -f $(dirname $0)) ++. $TESTDIR/framework ++ ++setupenvironment ++configarchitecture "i386" ++ ++# a "normal" package with source and binary ++buildsimplenativepackage 'foo' 'all' '2.0' ++ ++setupaptarchive --no-update ++ ++APTARCHIVE=$(readlink -f ./aptarchive) ++rm -f $APTARCHIVE/dists/unstable/*Release* ++ ++# update without authenticated InRelease file ++testsuccess aptget update ++ ++# this all should fail ++testfailure aptget install -y foo ++testfailure aptget source foo ++ ++# allow overriding the warning ++testsuccess aptget source --allow-unauthenticated foo diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc index b528c00fd8..378021a327 100644 --- a/meta/recipes-devtools/apt/apt.inc +++ b/meta/recipes-devtools/apt/apt.inc @@ -11,6 +11,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/apt_${PV}.tar.gz \ file://truncate-filename.patch \ file://nodoc.patch \ file://disable-configure-in-makefile.patch \ + file://apt-0.9.9.4-CVE-2014-0478.patch \ " inherit autotools gettext |