summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2021-07-26libfetch: fix range checking for http/ftp protocol parsingTimo Teräs5-61/+70
Various parsing of numeric strings were not having adequate range checking causing information leak or potential crash. CVE-2021-36159 fixes #10749 Co-authored-by: Ariadne Conill <ariadne@dereferenced.org> Reported-by: Samanta Navarro <ferivoz@riseup.net>
2021-07-26db: fix installed db writing with long namesSamanta Navarro1-6/+11
Packages containing files with path names longer than 1024 characters cannot fit into the buffer which is used to write "installed" database. This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because apk_blob_push_blob notices the condition and correctly handles it. The problem occurs when arguments to apk_ostream_write are manually calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a case, bbuf.ptr - buf leads to a huge size value while buf still points into the stack. fixes #10751 [TT: minor edit to commit and abbreviating the commit message]
2021-07-26Use __attribute__ ((format)) where possible and fix issues found by itTimo Teräs3-7/+10
2021-07-25io_archive: Use SOURCE_DATE_EPOCH for meta files instead of current timekpcyrd3-1/+18
[TT: minor stylistic changes]
2021-07-23db: allow read-only operations without cacheTimo Teräs4-11/+29
fixes #10748
2021-07-23libfetch: simplify code by merging protocol error handling branchesTimo Teräs2-36/+22
removes some code duplication
2021-07-23db: check syscall errors in update_permissions()Timo Teräs1-5/+17
2021-07-23doc: add missing options to index, info, and versionRodrigo Lourenço3-12/+23
2021-07-23Document apk-searchRodrigo Lourenço3-0/+45
Fixes #10746.
2021-07-23Remove AUTHORS section from man pagesTimo Teräs22-110/+0
Use of an AUTHORS section is strongly discouraged. Generally, it is better not to clutter every page with a list of (over time potentially numerous) authors. Add your name to comments in sources, or the root level AUTHORS file instead.
2021-07-23Disable progress bar on dumb terminals by defaultSören Tempel1-1/+6
The progress bar requires the terminal emulator to support ANSI escape sequences. Normally, TERM is set to dumb to indicate that the terminal emulator doesn't support any ANSI escape sequences. Attempting to use ANSI escape sequences on dumb terminals will lead to weird output. In order to make apk work by default, even on dumb terminals, this commit introduces an additional check which consults $TERM and disables the progress bar if it is set to "dumb". [TT: backported to 2.12]
2021-05-20solver: don't consider requirer count for preferenceTimo Teräs3-18/+29
The original intent was to choose packages to which there is most dependencies. However, since the code has evolved this is has been mostly obsolete. And in fact now interferes with the provides and provides priority mechanism. Remove this as obsolete. Fixes #10742
2021-04-12apk-tools-2.12.5v2.12.5Timo Teräs1-1/+1
2021-04-11io_archive: add bounds limit for uname and gname tar header fieldsTimo Teräs3-10/+11
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so proper length checking is done and honored. ==31584== Conditional jump or move depends on uninitialised value(s) ==31584== at 0x5C8CA5: strlen (strlen.c:17) ==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79) ==31584== by 0x4350EB: apk_resolve_uid (io.c:1112) ==31584== by 0x43696C: apk_tar_parse (io_archive.c:152) ==31584== by 0x4271BC: apk_pkg_read (package.c:929) ==31584== by 0x402D75: add_main (app_add.c:163) ==31584== by 0x40D5FF: main (apk-static.c:516) Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139. Reported-by: Sören Tempel <soeren+git@soeren-tempel.net> Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
2021-04-11io: fix fd leak in error handling pathsTimo Teräs1-5/+20
apk_dir_foreach_file and apk_resolve_[ug]id needs to free the fd in case fdopen/fdopendir fails. Additionally this does not rely on fdopen to fail if openat() returned -1, making sure that we don't call any syscalls with invalid file handle.
2021-03-23apk-tools-2.12.4v2.12.4Timo Teräs1-1/+1
2021-03-19database: do not chroot(".") unless actually necessaryAriadne Conill2-2/+14
If we use default root (/), then we do not have to chroot to run scripts. Use APK_NO_CHROOT flag for this scenario to avoid the chroot. This helps with using apk with bwrap and OSTree. Closes #10736. [TT: backported to 2.12-stable]
2021-03-19del: report correctly package's provides namesTimo Teräs1-9/+21
The code assumed that when package is in world, it would be there by it's primary name. The code is now updated to properly print the package names that are actually present in world. fixes #10718
2021-03-16libfetch: send Proxy-Authorization also for https connectTimo Teräs1-8/+20
fixes #10738
2021-03-13Use correct port when redirectedMartin Vahlensieck1-1/+1
If server redirects from http to https, libfetch detects this, but wrongly uses the old url scheme to determine the port. This subsequently leads to the following OpenSSL error: 139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331: Using the new scheme fixes this. This error message comes from trying to connect to port 80 with TLS, it can also be observed by issuing $ openssl s_client -connect alpinelinux.org:80 This bug was introduced in commit: 7158474 libfetch: keep http auth only if redirect is for the same host
2021-02-07apk-tools-2.12.3v2.12.3Timo Teräs1-1/+1
2021-02-07db: fix control character check to use uint8_tTimo Teräs1-2/+2
fixes #10737
2021-02-07apk-tools-2.12.2v2.12.2Timo Teräs1-1/+1
2021-02-07db: consider control characters in filename as maliciousTimo Teräs3-11/+25
Especially a newline can produce havoc in the database file as the filename is written there as-is. This hardenes the extraction to consider any control character as malicious. Additional hardening is added to database loading to better detect corrupt state and return proper error code about it. Reported-by: Luca Weiss <luca@z3ntu.xyz>
2021-02-07io: Handle really long linesOlliver Schinagl3-19780/+1
While commit 18b0b45 (io: Handle long lines, Thu Jan 7 17:25:23 2021 +0100) did attempt to address this issue, the buffer really is still to small when dealing with big-big dependency lists. Lets make it sufficiently large for now, until the new APKINDEX format can support multi-line dependencies, making this not needed any more. [TT: Originally the buffer size was conservative to run on resource constrained embedded platforms. But since the available memory on those has also increased much, the adjustment to 128kB makes sense also to increase performance a little bit. Removing also the iolimit test.] Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
2021-02-07gunzip: fix false end-of-file condition in rare circumstancesTimo Teräs1-1/+1
It turns out inflate() can output zero bytes, even if it consumed data. This had the unfortunate side effect of returning zero bytes (end-of-file) condition before calling the boundary callbacks. This fixes the logic to not return zero reads on gzip boundary. In practice this fixes the seldom seen issues of apk reporting bad signature (when it was correct).
2021-01-19apk-tools-2.12.1v2.12.1Timo Teräs1-1/+1
2021-01-19libfetch: harden URL parsingTimo Teräs1-11/+28
Treat URLs with too long individual components as malformed instead of silently truncating that field. There might be unexpected results if hostname, username or password field gets truncated.
2021-01-19libfetch: fix connection pooling for proxied http/https requestsTimo Teräs4-15/+14
The connection pooling was broken in two ways: 1. The original URL was always used as the connection pool URL, resulting in duplicate connections to the proxy for http URLs (each http URL would get separate proxy connection) 2. The cache_url stored was always the socket level connect URL. In case of HTTPS, the lookup was done done with the real URL, but the proxy URL was stored as the "cache URL". Thus HTTPS CONNECT connections were never re-used. This fixes the code with following logic: 1. The cache key url is the real URL when no-proxy, or when HTTPS with proxy (the socket is connected to proxy, but logically it is connected to the real URL due to HTTP CONNECT request). And for HTTP with proxy, it's the proxy URL so same proxy connection can be reused for all requests going through it. 2. fetch_connect() now gets cache key URL separately, and it always gets the same value as the fetch_cache_get() calls.
2021-01-19libfetch: fix use-after-free in connection cache managementTimo Teräs1-3/+3
fixes #10734
2021-01-19libfetch: fix parsing of proxy response to CONNECT requestsConny Seifert1-6/+1
Instead of skipping just one line, properly parse the response headers. [TT: reworded commit message]
2021-01-17libfetch: support for CIDR subnets in no_proxy/NO_PROXYTimo Teräs1-1/+65
This enables matching numeric hosts against CIDR style subnet matches in no_proxy environment variable. Based on work by Thermi. Co-authored-by: Noel Kuntze <noel.kuntze@thermi.consulting>
2021-01-17man info: --install-if and --rinstall-if do not have short optionsTimo Teräs1-7/+7
Commit e4aae45f removed the short options. Update the documentation. Fixes #10733
2021-01-14database.c: Fixed package DESCRIPTION parsingthibault.ferrante2-1/+2
Regression introduced by 0fb0d30 which makes parsing a description a critical failure. [TT: Minor stylistic change. Fix also missing final line change from the earlier commit]
2021-01-11io: Handle long linesthibault.ferrante1-1/+1
As an APKINDEX can become arbitrarely long due to dependencies and other parameters, increasing the buffer size make this less likely to happens. Closes #10731.
2021-01-11database: Propagate errors when loading an APKINDEXthibault.ferrante10-19/+19815
In case of failure when loading an APKINDEX, no errors are propagated to the user which may uncorrectly interpret the current problem.
2021-01-08libfetch: Increase URL password lengthMike Detwiler1-1/+1
Signed-off-by: Mike Detwiler <det@shift5.io>
2020-12-29apk_update: use URL_PRINTFAlex Denes1-2/+4
2020-11-11manual: Add missing rAlex Denes1-1/+1
2020-11-10manual: Fix wrong argument nameAlex Denes1-1/+1
2020-10-09apk-tools-2.12.0v2.12.0Timo Teräs1-1/+1
2020-10-07various changes to make clang not give warningsTimo Teräs5-14/+19
2020-10-06apk-tools-2.12.0_rc2v2.12.0_rc2Timo Teräs1-1/+1
2020-10-06db: make the --repositories-file change more announcedTimo Teräs2-5/+10
Document the version when changed. And print error with similar note if the given repositories-file cannot be read.
2020-10-06libfetch: keep http auth only if redirect is for the same hostTimo Teräs1-1/+7
fixes #10688
2020-10-06database: automatically create missing cache dirPaul Spooren1-0/+6
On some systems the `/var/` dir is mounted in a tmpfs which is reseted after each reboot. For that reason no post-install script can handle the creation of the cache dir at `/var/cache/apk`. Check on database opnening if the folder is available, if not create it. Fixes #10715 Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-10-05db: make --repositories-file relative to host rootTimo Teräs2-4/+4
It used to be relative to the --root specified root, but that causes issues with relative command line filenames and is unintuitive. Update documentation accordingly. Fixes #10702.
2020-10-05db: mask password component of printed URLsTimo Teräs3-12/+55
fixes #10710
2020-10-03commit: rephrase the error messages more understandableTimo Teräs17-19/+19
fixes #10703
2020-10-01db: check cache only if some repositories are enabledTimo Teräs1-1/+1