diff -Nru apt-1.6.3/apt-pkg/acquire-item.cc apt-1.6.3ubuntu0.1/apt-pkg/acquire-item.cc --- apt-1.6.3/apt-pkg/acquire-item.cc 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/apt-pkg/acquire-item.cc 2018-08-20 09:48:01.000000000 +0200 @@ -276,6 +276,26 @@ } /*}}}*/ +class pkgAcquire::Item::Private /*{{{*/ +{ +public: + struct AlternateURI + { + std::string URI; + std::unordered_map changefields; + AlternateURI(std::string &&u, decltype(changefields) &&cf) : URI(u), changefields(cf) {} + }; + std::list AlternativeURIs; + std::vector PastRedirections; + std::unordered_map CustomFields; + unsigned int Retries; + + Private() : Retries(_config->FindI("Acquire::Retries", 0)) + { + } +}; + /*}}}*/ + // all ::HashesRequired and ::GetExpectedHashes implementations /*{{{*/ /* ::GetExpectedHashes is abstract and has to be implemented by all subclasses. It is best to implement it as broadly as possible, while ::HashesRequired defaults @@ -682,24 +702,6 @@ /*}}}*/ // Acquire::Item::Item - Constructor /*{{{*/ -class pkgAcquire::Item::Private -{ -public: - struct AlternateURI - { - std::string const URI; - std::unordered_map changefields; - AlternateURI(std::string &&u, decltype(changefields) &&cf) : URI(u), changefields(cf) {} - }; - std::list AlternativeURIs; - std::vector PastRedirections; - std::unordered_map CustomFields; - unsigned int Retries; - - Private() : Retries(_config->FindI("Acquire::Retries", 0)) - { - } -}; APT_IGNORE_DEPRECATED_PUSH pkgAcquire::Item::Item(pkgAcquire * const owner) : FileSize(0), PartialSize(0), Mode(0), ID(0), Complete(false), Local(false), @@ -960,7 +962,7 @@ } Status = StatDone; ErrorText.clear(); - Owner->Dequeue(this); + Dequeue(); } /*}}}*/ // Acquire::Item::Rename - Rename a file /*{{{*/ @@ -985,6 +987,7 @@ /*}}}*/ void pkgAcquire::Item::Dequeue() /*{{{*/ { + d->AlternativeURIs.clear(); Owner->Dequeue(this); } /*}}}*/ @@ -1187,7 +1190,7 @@ { (*I)->ExpectedAdditionalItems = 0; if ((*I)->Status != pkgAcquire::Item::StatFetching) - Owner->Dequeue(*I); + (*I)->Dequeue(); (*I)->TransactionState(TransactionAbort); } Transaction.clear(); diff -Nru apt-1.6.3/CMakeLists.txt apt-1.6.3ubuntu0.1/CMakeLists.txt --- apt-1.6.3/CMakeLists.txt 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/CMakeLists.txt 2018-08-20 09:48:01.000000000 +0200 @@ -182,7 +182,7 @@ # Configure some variables like package, version and architecture. set(PACKAGE ${PROJECT_NAME}) set(PACKAGE_MAIL "APT Development Team ") -set(PACKAGE_VERSION "1.6.3") +set(PACKAGE_VERSION "1.6.3ubuntu0.1") if (NOT DEFINED DPKG_DATADIR) execute_process(COMMAND ${PERL_EXECUTABLE} -MDpkg -e "print $Dpkg::DATADIR;" diff -Nru apt-1.6.3/debian/changelog apt-1.6.3ubuntu0.1/debian/changelog --- apt-1.6.3/debian/changelog 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/debian/changelog 2018-08-20 09:48:01.000000000 +0200 @@ -1,3 +1,13 @@ +apt (1.6.3ubuntu0.1) bionic-security; urgency=medium + + [ David Kalnischkies ] + * SECURITY UPDATE: Fallback in the mirror method allowed a later server to + supply any InRelease file without it having to be verified. (LP: #1787752) + - apt-pkg/acquire-item.cc:: clear alternative URIs for mirror:// between steps + - CVE-2018-0501 + + -- Julian Andres Klode Mon, 20 Aug 2018 09:48:01 +0200 + apt (1.6.3) unstable; urgency=medium * Handle JSON hooks that just close the file/exit and fix some other errors diff -Nru apt-1.6.3/debian/control apt-1.6.3ubuntu0.1/debian/control --- apt-1.6.3/debian/control 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/debian/control 2018-08-20 09:48:01.000000000 +0200 @@ -1,7 +1,8 @@ Source: apt Section: admin Priority: important -Maintainer: APT Development Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: APT Development Team Uploaders: Michael Vogt , Julian Andres Klode , David Kalnischkies diff -Nru apt-1.6.3/doc/apt.conf.5.xml apt-1.6.3ubuntu0.1/doc/apt.conf.5.xml --- apt-1.6.3/doc/apt.conf.5.xml 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/doc/apt.conf.5.xml 2018-08-20 09:48:01.000000000 +0200 @@ -19,7 +19,7 @@ &apt-email; &apt-product; - 2018-06-25T00:00:00Z + 2018-08-20T00:00:00Z diff -Nru apt-1.6.3/doc/apt-get.8.xml apt-1.6.3ubuntu0.1/doc/apt-get.8.xml --- apt-1.6.3/doc/apt-get.8.xml 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/doc/apt-get.8.xml 2018-08-20 09:48:01.000000000 +0200 @@ -14,7 +14,7 @@ &apt-email; &apt-product; - 2018-06-25T00:00:00Z + 2018-08-20T00:00:00Z diff -Nru apt-1.6.3/doc/apt-transport-https.1.xml apt-1.6.3ubuntu0.1/doc/apt-transport-https.1.xml --- apt-1.6.3/doc/apt-transport-https.1.xml 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/doc/apt-transport-https.1.xml 2018-08-20 09:48:01.000000000 +0200 @@ -13,7 +13,7 @@ &apt-email; &apt-product; - 2018-06-25T00:00:00Z + 2018-08-20T00:00:00Z diff -Nru apt-1.6.3/doc/apt-verbatim.ent apt-1.6.3ubuntu0.1/doc/apt-verbatim.ent --- apt-1.6.3/doc/apt-verbatim.ent 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/doc/apt-verbatim.ent 2018-08-20 09:48:01.000000000 +0200 @@ -262,7 +262,7 @@ "> - + diff -Nru apt-1.6.3/doc/po/apt-doc.pot apt-1.6.3ubuntu0.1/doc/po/apt-doc.pot --- apt-1.6.3/doc/po/apt-doc.pot 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/doc/po/apt-doc.pot 2018-08-20 09:48:01.000000000 +0200 @@ -5,9 +5,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: apt-doc 1.6.3\n" +"Project-Id-Version: apt-doc 1.6.3ubuntu0.1\n" "Report-Msgid-Bugs-To: APT Development Team \n" -"POT-Creation-Date: 2018-07-09 16:41+0200\n" +"POT-Creation-Date: 2018-08-20 09:49+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff -Nru apt-1.6.3/doc/sources.list.5.xml apt-1.6.3ubuntu0.1/doc/sources.list.5.xml --- apt-1.6.3/doc/sources.list.5.xml 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/doc/sources.list.5.xml 2018-08-20 09:48:01.000000000 +0200 @@ -14,7 +14,7 @@ &apt-email; &apt-product; - 2018-06-25T00:00:00Z + 2018-08-20T00:00:00Z diff -Nru apt-1.6.3/po/apt-all.pot apt-1.6.3ubuntu0.1/po/apt-all.pot --- apt-1.6.3/po/apt-all.pot 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/po/apt-all.pot 2018-08-20 09:48:01.000000000 +0200 @@ -5,9 +5,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: apt 1.6.3\n" +"Project-Id-Version: apt 1.6.3ubuntu0.1\n" "Report-Msgid-Bugs-To: APT Development Team \n" -"POT-Creation-Date: 2018-07-09 16:41+0200\n" +"POT-Creation-Date: 2018-08-20 09:49+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff -Nru apt-1.6.3/test/integration/test-cve-2018-0501-mirror-alternatives apt-1.6.3ubuntu0.1/test/integration/test-cve-2018-0501-mirror-alternatives --- apt-1.6.3/test/integration/test-cve-2018-0501-mirror-alternatives 1970-01-01 01:00:00.000000000 +0100 +++ apt-1.6.3ubuntu0.1/test/integration/test-cve-2018-0501-mirror-alternatives 2018-08-20 09:48:01.000000000 +0200 @@ -0,0 +1,31 @@ +#!/bin/sh +set -e +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture "i386" + +buildsimplenativepackage 'foo' 'all' '1' 'stable' +setupaptarchive --no-update +changetohttpswebserver + +# User has mirror method configured in apt >= 1.6~alpha6 & +# Eve has enough MITM control over the network to +# a) have the mirror file include at least two mirrors and +# b) can send her bad InRelease files for both mirrors +sed -i -e 's# https:# mirror+https:#' -e 's#/ stable#/mirror.txt stable#' rootdir/etc/apt/sources.list.d/*-stable-* +echo "http://localhost:${APTHTTPPORT} +https://localhost:${APTHTTPSPORT}" > aptarchive/mirror.txt + +# real Eve would do something worse… +sed -i "/^Date: / a\ +Evil: yes" $(find ./aptarchive -name 'Release' -o -name 'InRelease') + +# progress display shows that the InRelease file was bad, +# but it is used anyhow as the bad file causes a fallback to +# a request to the second mirror which completes successful +# causing apt to believe the verify completed successfully… +testfailure apt update +testfailure grep '^Evil:' rootdir/var/lib/apt/lists/*Release +testfailure apt show foo diff -Nru apt-1.6.3/test/integration/test-method-mirror apt-1.6.3ubuntu0.1/test/integration/test-method-mirror --- apt-1.6.3/test/integration/test-method-mirror 2018-07-09 16:41:27.000000000 +0200 +++ apt-1.6.3ubuntu0.1/test/integration/test-method-mirror 2018-08-20 09:48:01.000000000 +0200 @@ -196,6 +196,7 @@ echo 'Dir::Bin::Methods::foo+mirror+file "mirror"; Dir::Bin::Methods::foo+mirror+http "mirror"; Dir::Bin::Methods::foo+http "http"; +Dir::Bin::Methods::foo+https "https"; ' > rootdir/etc/apt/apt.conf.d/99add-foo-method echo "http://localhost:${APTHTTPPORT}/redirectme " > aptarchive/mirror.txt @@ -241,3 +242,14 @@ Reading state information... All packages are up to date." apt update testrundownload 'foo=2' + +echo "https://localhost:${APTHTTPSPORT}/ +http://localhost:${APTHTTPPORT}/redirectme" > aptarchive/mirror.txt +rm -rf rootdir/var/lib/apt/lists +sed -i -e "s# foo+# [signed-by=$(readlink -f ./keys/joesixpack.pub)] foo+#g" rootdir/etc/apt/sources.list.d/apt-test-unstable-deb* +testsuccess apt update +testrundownload 'foo=2' + +rm -rf rootdir/var/lib/apt/lists +sed -i -e "s# \[signed-by=[^]]\+\] foo+# [signed-by=$(readlink -f ./keys/marvinparanoid.pub)] foo+#g" rootdir/etc/apt/sources.list.d/apt-test-unstable-deb* +testfailure apt update