diff -Nru apt-1.0.1ubuntu2/apt-private/private-download.cc apt-1.0.1ubuntu2.1/apt-private/private-download.cc --- apt-1.0.1ubuntu2/apt-private/private-download.cc 2014-04-03 11:31:40.000000000 +0200 +++ apt-1.0.1ubuntu2.1/apt-private/private-download.cc 2014-06-12 13:57:07.000000000 +0200 @@ -28,6 +28,11 @@ if (UntrustedList == "") return true; + return AuthPrompt(UntrustedList, PromptUser); +} + +bool AuthPrompt(std::string UntrustedList, bool const PromptUser) +{ ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,""); if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true) diff -Nru apt-1.0.1ubuntu2/apt-private/private-download.h apt-1.0.1ubuntu2.1/apt-private/private-download.h --- apt-1.0.1ubuntu2/apt-private/private-download.h 2014-04-03 11:31:40.000000000 +0200 +++ apt-1.0.1ubuntu2.1/apt-private/private-download.h 2014-06-12 13:57:07.000000000 +0200 @@ -5,7 +5,13 @@ class pkgAcquire; +// Check if all files in the fetcher are authenticated APT_PUBLIC bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser); + +// show a authentication warning prompt and return true if the system +// should continue +APT_PUBLIC bool AuthPrompt(std::string UntrustedList, bool const PromptUser); + APT_PUBLIC bool AcquireRun(pkgAcquire &Fetcher, int const PulseInterval, bool * const Failure, bool * const TransientNetworkFailure); #endif diff -Nru apt-1.0.1ubuntu2/cmdline/apt-get.cc apt-1.0.1ubuntu2.1/cmdline/apt-get.cc --- apt-1.0.1ubuntu2/cmdline/apt-get.cc 2014-04-10 14:24:13.000000000 +0200 +++ apt-1.0.1ubuntu2.1/cmdline/apt-get.cc 2014-06-12 13:57:07.000000000 +0200 @@ -76,7 +76,6 @@ #include #include #include -#include #include #include #include @@ -756,6 +755,7 @@ // Load the requestd sources into the fetcher unsigned J = 0; + std::string UntrustedList; for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) { string Src; @@ -764,6 +764,9 @@ if (Last == 0) { return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); } + + if (Last->Index().IsTrusted() == false) + UntrustedList += Src + " "; string srec = Last->AsStr(); string::size_type pos = srec.find("\nVcs-"); @@ -847,6 +850,10 @@ Last->Index().SourceInfo(*Last,*I),Src); } } + + // check authentication status of the source as well + if (UntrustedList != "" && !AuthPrompt(UntrustedList, false)) + return false; // Display statistics unsigned long long FetchBytes = Fetcher.FetchNeeded(); diff -Nru apt-1.0.1ubuntu2/debian/changelog apt-1.0.1ubuntu2.1/debian/changelog --- apt-1.0.1ubuntu2/debian/changelog 2014-04-10 14:24:46.000000000 +0200 +++ apt-1.0.1ubuntu2.1/debian/changelog 2014-06-12 13:59:37.000000000 +0200 @@ -1,3 +1,11 @@ +apt (1.0.1ubuntu2.1) trusty-security; urgency=low + + * SECURITY UPDATE: apt-get source validation + - CVE-2014-0478 + LP: #1329274 + + -- Michael Vogt Thu, 12 Jun 2014 13:57:38 +0200 + apt (1.0.1ubuntu2) trusty; urgency=low * fix symlink of etc/apt/apt.conf.d/01autoremove when runnning in diff -Nru apt-1.0.1ubuntu2/test/integration/test-apt-get-source-authenticated apt-1.0.1ubuntu2.1/test/integration/test-apt-get-source-authenticated --- apt-1.0.1ubuntu2/test/integration/test-apt-get-source-authenticated 1970-01-01 01:00:00.000000000 +0100 +++ apt-1.0.1ubuntu2.1/test/integration/test-apt-get-source-authenticated 2014-06-12 13:57:07.000000000 +0200 @@ -0,0 +1,31 @@ +#!/bin/sh +# +# Regression test for debian bug #749795. Ensure that we fail with +# a error if apt-get source foo will download a source that comes +# from a unauthenticated repository +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# a "normal" package with source and binary +buildsimplenativepackage 'foo' 'all' '2.0' + +setupaptarchive --no-update + +APTARCHIVE=$(readlink -f ./aptarchive) +rm -f $APTARCHIVE/dists/unstable/*Release* + +# update without authenticated InRelease file +testsuccess aptget update + +# this all should fail +testfailure aptget install -y foo +testfailure aptget source foo + +# allow overriding the warning +testsuccess aptget source --allow-unauthenticated foo