Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
|
|
|
|
found by clang
|
|
APKs have been created with GNU tar so far, which uses the
GNU extensions for long names. In order to increase portability
support the standard header's 'prefix' portion in case
the GNU extensions are not present.
|
|
This reduces function pointers in heap, and unifies how the
io functions are called.
|
|
Detect properly if the file stream gets an error during these
read operations.
Reported-by: Ariel Zelivansky from Twistlock
|
|
The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.
Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock
|
|
|
|
don't overwrite the link_target if it was found from pax header.
ref #5076
|
|
preserve [am]time for all packages and indexes. this fixes the caching
error that 'apk update' is after new index is generated, but before
the used mirror is synchronized. this caused local apkindex timestamp
to be newer than file in mirror, when in fact it was outdated index.
this also fixes fetched files to have build timestamp so that files
going to .iso or custom images have proper timestamps (rsync with
appropriate --modify-window now works)
|
|
|
|
there's no nice syscall to manipulate xattrs with atfd and
or open the symlink without dereferencing it (and having fd
that we can do xattrs with)
|
|
user xattrs on tmpfs are not supported no non-grsec kernels,
and many times root fs is mounted without user_xattr. Thus
to allow things to go smoothly on non-grsec kernels xattr
unsupported errors are now hidden.
xattrs can be fixed still now with "apk fix --xattrs"
|
|
ref #3027
|
|
|
|
ref #3027
|
|
|
|
|
|
Acked-by: Natanael Copa <ncopa@alpinelinux.org>
|
|
no need to muldiv all the time, just pass the current amount of bytes
done, and let callbacks use that directly.
|
|
|
|
|
|
Otherwise we end up using wrong uid/gid mappings when doing install
to alternate system root. Fixes #434.
|
|
the uid and gid are used in other places than just changing file
ownership on extraction.
|
|
Seems like recent eglibc requires that you include sys/stat.h
|
|
Take the uid/gid from passwd and group.
|
|
|
|
|
|
turns out the logic does not work with overlays as expected due
to busybox symlinks being unmanaged. remove the useless option.
|
|
otherwise we always extract the file as .apk-new and the database
side just overwrites.
|
|
to never ever overwrite a while in the filesystem the user knows
about. it gives the impression of extraction succeeding even though
nothing was done. this is inteded to be used only for bootstrapping
with overlay.
|
|
ability embed description information to repository indexes
(e.g. repository name and version) and show it via "apk version -I".
|
|
and take checksums for symlinks too.
|
|
|
|
We need the define for uint16
|
|
this way we never change cwd, and relative filenames are always
parsed consistently. this also helps filename construction in many
places. this patch also changes '--root' to override location of
all configuration to be in the new root. previously it depended
on the file which one was used.
|
|
apparently it needs to have both PROT_READ and PROT_WRITE. and
it needs to be MAP_SHARED for the writing to be effective. oh,
and the data needs to be preallocated with ftruncate; otherwise,
one gets SIGBUS.
|
|
and force checksumming only when unpacking archive. otherwise
it's extra computation for nothing.
|
|
otherwise bad things happens. avoid this be checking end of
stream at the beginning of read.
|
|
Otherwise will link(2) fail since it does not exist.
|
|
|
|
- extract everything as .apk-new and overwrite only after data
has been checksummed
- url construction fixes (to work with simple http servers)
- end of gunzip stream fixed
- remove oneshot digesting flag for now as it's usage was broken
|
|
|
|
|
|
|
|
prefer index in the new format as signed .tar.gz.
|
|
to speed up apk installation avoid calculating checksums.
|
|
change the index generation to do old index, or the new style index
where package identity is sha1 of control block and it's contained
within an .tar.gz to allow signing in future.
|
|
|