summaryrefslogtreecommitdiff
path: root/src/archive.c
AgeCommit message (Collapse)AuthorFilesLines
2018-10-26add support for openssl 1.1Timo Teräs1-7/+10
2018-09-10rework unpacking of packages and harden package file format requirementsTimo Teräs1-21/+13
A crafted .apk file could to trick apk writing unverified data to an unexpected file during temporary file creation due to bugs in handling long link target name and the way a regular file is extracted. Several hardening steps are implemented to avoid this: - the temporary file is now always first unlinked (apk thus reserved all filenames .apk.* to be it's working files) - the temporary file is after that created with O_EXCL to avoid races - the temporary file is no longer directly the archive entry name and thus directly controlled by potentially untrusted data - long file names and link target names are now rejected - hard link targets are now more rigorously checked - various additional checks added for the extraction process to error out early in case of malformed (or old legacy) file Reported-by: Max Justicz <max@justi.cz>
2018-08-14archive: enable FIFO extractionJesse Young1-2/+4
2017-08-23fix comparison of unsigned expression < 0 is always falseDmitry Golovin1-1/+2
found by clang
2017-06-26tar: use standard header prefixTimo Teräs1-1/+9
APKs have been created with GNU tar so far, which uses the GNU extensions for long names. In order to increase portability support the standard header's 'prefix' portion in case the GNU extensions are not present.
2017-06-23io: make io vtables const struct, and add accessors for themTimo Teräs1-13/+17
This reduces function pointers in heap, and unifies how the io functions are called.
2017-06-23archive: validate reading of pax and gnu long filename extensionsTimo Teräs1-14/+14
Detect properly if the file stream gets an error during these read operations. Reported-by: Ariel Zelivansky from Twistlock
2017-06-23archive: fix incorrect bounds checking for memory allocationTimo Teräs1-2/+4
The value from tar header is unsigned int; keep it casted to unsigned int and size_t instead of (signed) int, otherwise the comparisons fail to do their job properly. Additionally check entry.size against SSIZE_MAX so the rounding up later on is guaranteed to not overflow. Fixes CVE-2017-9669 and CVE-2017-9671. Reported-by: Ariel Zelivansky from Twistlock
2017-01-05tar: return correct error for short read of tar archiveTimo Teräs1-3/+8
2016-02-09archive: fix long symlink target namesTimo Teräs1-2/+2
don't overwrite the link_target if it was found from pax header. ref #5076
2015-11-09io, database: preserve [am]time for cached and fetched filesTimo Teräs1-0/+13
preserve [am]time for all packages and indexes. this fixes the caching error that 'apk update' is after new index is generated, but before the used mirror is synchronized. this caused local apkindex timestamp to be newer than file in mirror, when in fact it was outdated index. this also fixes fetched files to have build timestamp so that files going to .iso or custom images have proper timestamps (rsync with appropriate --modify-window now works)
2015-04-17fix issue introduced in previous xattr error handling changesTimo Teräs1-2/+2
2015-04-17disable xattrs on symlinks for nowTimo Teräs1-1/+1
there's no nice syscall to manipulate xattrs with atfd and or open the symlink without dereferencing it (and having fd that we can do xattrs with)
2015-04-17make file install errors non-fatal, and xattr errors hiddenTimo Teräs1-53/+58
user xattrs on tmpfs are not supported no non-grsec kernels, and many times root fs is mounted without user_xattr. Thus to allow things to go smoothly on non-grsec kernels xattr unsupported errors are now hidden. xattrs can be fixed still now with "apk fix --xattrs"
2015-03-11calculate and store checksum of xattrsTimo Teräs1-1/+4
ref #3027
2015-03-10rename file info related functions for consistencyTimo Teräs1-2/+2
2015-03-10extract xattrs from packagesTimo Teräs1-0/+33
ref #3027
2014-11-01support extended pax header in tar extractorTimo Teräs1-38/+83
2013-09-20archive: fix handling of name lengths of exactly 100 bytesTimo Teräs1-0/+3
2013-06-28various: applet help text and comment fixesDubiousjim1-1/+1
Acked-by: Natanael Copa <ncopa@alpinelinux.org>
2013-06-17io: get rid of APK_PROGRESS_SCALETimo Teräs1-2/+1
no need to muldiv all the time, just pass the current amount of bytes done, and let callbacks use that directly.
2013-04-18*.c: malloc.h->stdlib.hPierre Carrier1-1/+1
2011-09-13all: update copyright year statementTimo Teräs1-1/+1
2010-10-08io, db: id cache should be specific to database root, not system rootTimo Teräs1-3/+3
Otherwise we end up using wrong uid/gid mappings when doing install to alternate system root. Fixes #434.
2010-09-23archive: resolve uid, gid for file informationTimo Teräs1-6/+3
the uid and gid are used in other places than just changing file ownership on extraction.
2010-08-30Fix building on eglibcNatanael Copa1-0/+1
Seems like recent eglibc requires that you include sys/stat.h
2010-06-12archive: honor username/groupname instead of uid/gidTimo Teräs1-1/+4
Take the uid/gid from passwd and group.
2010-06-11various: use O_CLOEXEC and add some error checkingTimo Teräs1-1/+1
2010-06-11First steps for libapkNatanael Copa1-0/+1
2009-12-21apk: remove the unneeded --never-overwriteTimo Teras1-18/+1
turns out the logic does not work with overlays as expected due to busybox symlinks being unmanaged. remove the useless option.
2009-11-06archive: overwrite protection needs to use real filenameTimo Teras1-1/+7
otherwise we always extract the file as .apk-new and the database side just overwrites.
2009-11-06apk: add --never-overwrite flag (ref #197)Timo Teras1-2/+20
to never ever overwrite a while in the filesystem the user knows about. it gives the impression of extraction succeeding even though nothing was done. this is inteded to be used only for bootstrapping with overlay.
2009-09-03index, version: support for repository descriptions (fixes #141)Timo Teras1-1/+2
ability embed description information to repository indexes (e.g. repository name and version) and show it via "apk version -I".
2009-08-11archive: update for new place of checksum in tar headerTimo Teras1-9/+26
and take checksums for symlinks too.
2009-08-11db, audit: audit symlinks (by hash of the link target)Timo Teras1-1/+1
2009-08-03archive: compile fixNatanael Copa1-0/+1
We need the define for uint16
2009-07-31apk: use *at instead of chdir+normal file syscallTimo Teras1-26/+29
this way we never change cwd, and relative filenames are always parsed consistently. this also helps filename construction in many places. this patch also changes '--root' to override location of all configuration to be in the new root. previously it depended on the file which one was used.
2009-07-30io: fix mmap writing to actually workTimo Teras1-1/+1
apparently it needs to have both PROT_READ and PROT_WRITE. and it needs to be MAP_SHARED for the writing to be effective. oh, and the data needs to be preallocated with ftruncate; otherwise, one gets SIGBUS.
2009-07-29tar: make checksumming of inner files conditionalTimo Teras1-4/+7
and force checksumming only when unpacking archive. otherwise it's extra computation for nothing.
2009-07-29tar: don't call digest finalization twiceTimo Teras1-0/+3
otherwise bad things happens. avoid this be checking end of stream at the beginning of read.
2009-07-23archive: append .apk-new to hard link targetsNatanael Copa1-1/+5
Otherwise will link(2) fail since it does not exist.
2009-07-22various: more informative error messagesTimo Teras1-10/+11
2009-07-22various: installation fixesTimo Teras1-1/+2
- extract everything as .apk-new and overwrite only after data has been checksummed - url construction fixes (to work with simple http servers) - end of gunzip stream fixed - remove oneshot digesting flag for now as it's usage was broken
2009-07-21various: fix installation of new style apksTimo Teras1-1/+1
2009-07-21pkg: fix indexing of multi-part apksTimo Teras1-3/+3
2009-07-21db: fixes to package checksumming while installing itTimo Teras1-7/+12
2009-07-20db: signed index loading (ref #46)Timo Teras1-0/+5
prefer index in the new format as signed .tar.gz.
2009-07-16archive: use the abuild-tar mangled checksum if availableTimo Teras1-8/+28
to speed up apk installation avoid calculating checksums.
2009-07-16various: new style index generationTimo Teras1-12/+27
change the index generation to do old index, or the new style index where package identity is sha1 of control block and it's contained within an .tar.gz to allow signing in future.
2009-07-16gzip: always autoclose the inner streamTimo Teras1-13/+0