| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 6484ed9849f03971eb48ee1fdc21a2f128247eb1)
|
|
Most applets return whatever apk_solver_commit() returns. It is the
number of errors found (or negative for hard error). Sanitize the
error value to not give false success exit code in the unlikely case
of errors % 256 == 0.
Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 7b654e125461b00bc26e52b25e6a7be3a32c11b9)
(cherry picked from commit 7c90fd0529c0358dd04cab0fce506e8a8b191506)
|
|
(cherry picked from commit 1d55b9488f2d9c6d367fa7f21b058466c24f3ad1)
|
|
(cherry picked from commit 2f3c8420493a731556909eb3ebd6d50478fb7b24)
|
|
(cherry picked from commit ca368916e0333bf24cdcbdbe42130ec6a92c3f6e)
|
|
|
|
Detect properly if the file stream gets an error during these
read operations.
Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit cd531aef3033475c26f29a1f650a3bf392cc2daa)
|
|
The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.
Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
|
|
|
|
It is unreasonable to assume that all package writers would except
to reset umask themselves. It's done currently in most packages,
but we had first issue of this kind recently, so better just reset
umask.
|
|
trigger it only if apk-tools can be upgrade, add test cases
|
|
|
|
|
|
|
|
print license with the --license option.
|
|
Make it possible to individually override openssl, zlib and libfetch
cflags and linker flags. This makes it possible to build apk-tools
without having pkg-config installed.
|
|
fixes #5656
|
|
|
|
it's only used to speed up things, and having it non-existant
is not a fatal error - all included things in index will be
passed in command line anyway
|
|
|
|
|
|
|
|
which will delete any .apk package on output directory that were
not downloaded by fetch
this allows apk fetch to incrementally build repositories for
binary images
|
|
|
|
don't overwrite the link_target if it was found from pax header.
ref #5076
|
|
- self-conflicts when the exact same version of a name is provided
twice is now properly detected and diagnozed
- don't print redundant satisfies diagnostic
|
|
|
|
Implement --no-cache. The index is read directly from network and not
cached. This is useful for docker, where you install a set of packages
and directly after purge the cache. (see
https://github.com/gliderlabs/docker-alpine/blob/1fc9e59d1689fc4eaf930ec66389fe58062fccec/builder/scripts/apk-install)
fixes #4905
|
|
|
|
|
|
|
|
preserve [am]time for all packages and indexes. this fixes the caching
error that 'apk update' is after new index is generated, but before
the used mirror is synchronized. this caused local apkindex timestamp
to be newer than file in mirror, when in fact it was outdated index.
this also fixes fetched files to have build timestamp so that files
going to .iso or custom images have proper timestamps (rsync with
appropriate --modify-window now works)
|
|
fixes #4770
apk_name_foreach_matching() can matches each package via it's
main name and all it's provides. Print matched packages only once.
|
|
We need fall back to a splice buffer if posix_fallocate call fails due
to file being a device (eg tty) or a pipe. This fixes apk fetch --stdout.
|
|
|
|
|
|
|
|
ftruncate does not allocate it, and subsequent access to mmaped
file will result in SIGBUS. this fixes to properly report disk
full errors.
|
|
|
|
the problem is that var/lock is on root installs symlink to /run/lock
(on tmpfs) and does not exist if doing chroot() to that root. fixes
apk to work when chrooted to existing rootfs install.
|
|
fixes #4261
|
|
|
|
|
|
|
|
so valgrind does not report any leaks
|
|
|
|
|
|
it's a hot path for decoding checksums in fdb
|
|
it is more efficient than the previously used djb hash
|
