diff options
Diffstat (limited to 'meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch')
-rw-r--r-- | meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch | 193 |
1 files changed, 0 insertions, 193 deletions
diff --git a/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch b/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch deleted file mode 100644 index 79a6897572..0000000000 --- a/meta/recipes-devtools/apt/apt-0.9.9.4/apt-0.9.9.4-CVE-2014-0478.patch +++ /dev/null @@ -1,193 +0,0 @@ -This patch comes from: -https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=73;filename=apt_0.9.7.9%2Bdeb7u2.debdiff;att=1;bug=749795 - -Upstream-Status: Backport - -Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> -Signed-off-by: Chong Lu <Chong.Lu@windriver.com> - -diff -uarN apt-0.9.9.4-org/cmdline/apt-get.cc apt-0.9.9.4/cmdline/apt-get.cc ---- apt-0.9.9.4-org/cmdline/apt-get.cc 2014-08-29 15:37:42.587156134 +0800 -+++ apt-0.9.9.4/cmdline/apt-get.cc 2014-08-29 15:51:16.672334086 +0800 -@@ -1046,25 +1046,8 @@ - return true; - } - /*}}}*/ --// CheckAuth - check if each download comes form a trusted source /*{{{*/ --// --------------------------------------------------------------------- --/* */ --static bool CheckAuth(pkgAcquire& Fetcher) -+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser) - { -- string UntrustedList; -- for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) -- { -- if (!(*I)->IsTrusted()) -- { -- UntrustedList += string((*I)->ShortDesc()) + " "; -- } -- } -- -- if (UntrustedList == "") -- { -- return true; -- } -- - ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,""); - - if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true) -@@ -1073,6 +1056,9 @@ - return true; - } - -+ if (PromptUser == false) -+ return _error->Error(_("Some packages could not be authenticated")); -+ - if (_config->FindI("quiet",0) < 2 - && _config->FindB("APT::Get::Assume-Yes",false) == false) - { -@@ -1090,6 +1076,28 @@ - return _error->Error(_("There are problems and -y was used without --force-yes")); - } - /*}}}*/ -+// CheckAuth - check if each download comes form a trusted source /*{{{*/ -+// --------------------------------------------------------------------- -+/* */ -+static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true) -+{ -+ string UntrustedList; -+ for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) -+ { -+ if (!(*I)->IsTrusted()) -+ { -+ UntrustedList += string((*I)->ShortDesc()) + " "; -+ } -+ } -+ -+ if (UntrustedList == "") -+ { -+ return true; -+ } -+ -+ return AuthPrompt(UntrustedList, PromptUser); -+} -+ - // InstallPackages - Actually download and install the packages /*{{{*/ - // --------------------------------------------------------------------- - /* This displays the informative messages describing what is going to -@@ -2482,6 +2490,7 @@ - - // Load the requestd sources into the fetcher - unsigned J = 0; -+ std::string UntrustedList; - for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) - { - string Src; -@@ -2491,7 +2500,10 @@ - delete[] Dsc; - return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); - } -- -+ -+ if (Last->Index().IsTrusted() == false) -+ UntrustedList += Src + " "; -+ - string srec = Last->AsStr(); - string::size_type pos = srec.find("\nVcs-"); - while (pos != string::npos) -@@ -2575,7 +2587,11 @@ - Last->Index().SourceInfo(*Last,*I),Src); - } - } -- -+ -+ // check authentication status of the source as well -+ if (UntrustedList != "" && !AuthPrompt(UntrustedList, false)) -+ return false; -+ - // Display statistics - unsigned long long FetchBytes = Fetcher.FetchNeeded(); - unsigned long long FetchPBytes = Fetcher.PartialPresent(); -diff -uarN apt-0.9.9.4-org/test/integration/framework apt-0.9.9.4/test/integration/framework ---- apt-0.9.9.4-org/test/integration/framework 2014-08-29 15:37:42.623156154 +0800 -+++ apt-0.9.9.4/test/integration/framework 2014-08-29 15:55:23.592197940 +0800 -@@ -151,7 +151,7 @@ - mkdir rootdir aptarchive keys - cd rootdir - mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d -- mkdir -p var/cache var/lib var/log -+ mkdir -p var/cache var/lib var/log tmp - mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers - touch var/lib/dpkg/available - mkdir -p usr/lib/apt -@@ -910,3 +910,35 @@ - local IGNORE - read IGNORE - } -+ -+testsuccess() { -+ if [ "$1" = '--nomsg' ]; then -+ shift -+ else -+ msgtest 'Test for successful execution of' "$*" -+ fi -+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output" -+ if $@ >${OUTPUT} 2>&1; then -+ msgpass -+ else -+ echo >&2 -+ cat >&2 $OUTPUT -+ msgfail -+ fi -+} -+ -+testfailure() { -+ if [ "$1" = '--nomsg' ]; then -+ shift -+ else -+ msgtest 'Test for failure in execution of' "$*" -+ fi -+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" -+ if $@ >${OUTPUT} 2>&1; then -+ echo >&2 -+ cat >&2 $OUTPUT -+ msgfail -+ else -+ msgpass -+ fi -+} -diff -uarN apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated apt-0.9.9.4/test/integration/test-apt-get-source-authenticated ---- apt-0.9.9.4-org/test/integration/test-apt-get-source-authenticated 1970-01-01 08:00:00.000000000 +0800 -+++ apt-0.9.9.4/test/integration/test-apt-get-source-authenticated 2014-08-29 15:58:06.137156796 +0800 -@@ -0,0 +1,31 @@ -+#!/bin/sh -+# -+# Regression test for debian bug #749795. Ensure that we fail with -+# a error if apt-get source foo will download a source that comes -+# from a unauthenticated repository -+# -+set -e -+ -+TESTDIR=$(readlink -f $(dirname $0)) -+. $TESTDIR/framework -+ -+setupenvironment -+configarchitecture "i386" -+ -+# a "normal" package with source and binary -+buildsimplenativepackage 'foo' 'all' '2.0' -+ -+setupaptarchive --no-update -+ -+APTARCHIVE=$(readlink -f ./aptarchive) -+rm -f $APTARCHIVE/dists/unstable/*Release* -+ -+# update without authenticated InRelease file -+testsuccess aptget update -+ -+# this all should fail -+testfailure aptget install -y foo -+testfailure aptget source foo -+ -+# allow overriding the warning -+testsuccess aptget source --allow-unauthenticated foo |