| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 6484ed9849f03971eb48ee1fdc21a2f128247eb1)
|
|
This change just changes to keep deleted directory items in
the hash with ref count zero and modified flag set. Those entries
are reused when needed. The side effect is that fire_triggers()
will now see those removed direcotries and reports them. Other
enumerators of the directories hash are protected to skip removed
directories when appropriate.
(cherry picked from commit b0fcc56f221e749271bb2aa13e151699e62b09ac)
(cherry picked from commit 6ee77576e7c16c23784c69f82d90be98deb07515)
|
|
dbopts->root may be null; use db->root instead
fixes #7162
|
|
|
|
Depending how the directory entries are ordered, the cached dir
instance might not have been updated correctly. This has not been
a problem as the entries have been ordered, but is now triggered
on ppc.
|
|
(cherry picked from commit 17dd532e428e647e9d977e727c87c0f3a4e93ae3)
|
|
Introduced in commit c0f2d88f342f4d185f3991f98b79ab61a03896e4.
fstatfs is needed to inspect the mount flags.
(cherry picked from commit ede5165833b94051ecbc35e9ac4a359f54cc0116)
|
|
This reduces function pointers in heap, and unifies how the
io functions are called.
(cherry picked from commit 09ca58863af02d11e8dbf066b714464fb1638e6f)
|
|
|
|
|
|
This fixes regression introduced by commit 72b878e655
|
|
|
|
fixes #5616
The original intention was not use unnecessary space on tmpfs
e.g. if the cache directory is a mount point, but accidentally
left unmounted. But there are valid cases when packages are
intentionally wanted to be cached on tmpfs. If caching is not
desired, the user can just remove the cache directory.
|
|
musl c-library does not work properly without /proc, and potentially
running the scripts need this.
|
|
This allows for instance integration of etckeeper
[TT: Reorganized code a bit, and modified to use single
directory commit_hooks.d with argument for script of stage.]
|
|
Implement --no-cache. The index is read directly from network and not
cached. This is useful for docker, where you install a set of packages
and directly after purge the cache. (see
https://github.com/gliderlabs/docker-alpine/blob/1fc9e59d1689fc4eaf930ec66389fe58062fccec/builder/scripts/apk-install)
fixes #4905
|
|
preserve [am]time for all packages and indexes. this fixes the caching
error that 'apk update' is after new index is generated, but before
the used mirror is synchronized. this caused local apkindex timestamp
to be newer than file in mirror, when in fact it was outdated index.
this also fixes fetched files to have build timestamp so that files
going to .iso or custom images have proper timestamps (rsync with
appropriate --modify-window now works)
|
|
|
|
the problem is that var/lock is on root installs symlink to /run/lock
(on tmpfs) and does not exist if doing chroot() to that root. fixes
apk to work when chrooted to existing rootfs install.
|
|
fixes #4261
|
|
so valgrind does not report any leaks
|
|
resolve reverse dependencies after all packages have been loaded,
and avoid traversing the reverse name lists. now that we use
automatic virtual packages (soname, pkg-config, etc.) the reverse
dependency chains can become considerable longer than what it was
when the rdependency construction code was originally written.
|
|
commit 941fc1b1 uncovered a bug that directory permissions are
not updated properly at db load time if it's the default acl.
|
|
the security implications are not as high as compared to regular
tar/unzip archiver. this is because you are anyway trusting
the package to install files anywhere in the filesystem.
this serves rather as a sanity to check against errors in created
package.
|
|
forgot to --amend my changes
|
|
user xattrs on tmpfs are not supported no non-grsec kernels,
and many times root fs is mounted without user_xattr. Thus
to allow things to go smoothly on non-grsec kernels xattr
unsupported errors are now hidden.
xattrs can be fixed still now with "apk fix --xattrs"
|
|
use ERR_PTR mechanism, and handle it at all places.
|
|
apk in alpine 3.1 already supports this optimization, but kept
the database format. now is time to start using this feature.
|
|
fixes #4040
|
|
ref #3027
|
|
|
|
|
|
|
|
Package pinning was first implemented with 'p' tag. However, it
was before any release renamed to 's', and 'p' was reserved for
package provides support for which is used now.
|
|
using space was for backwards compatibility with apk-tools 2.2.2
and earlier (from January 2012)
|
|
the location changed in apk-tools 2.1.0 (March 2011) which was
used in Alpine Linux 2.2.
|
|
In case all applet arguments are packages names (that is are not
including wildcards), return error if they do not match to some
package.
|
|
Allows running apk as an unprivileged user, e.g. with fakeroot.
Opening the lock file fails without the write permission.
|
|
there are only few combinations for that triplet, and they
occur multiple times reducing the struct sizes a bit. make
sane defaults and prepare to not write defaults to disk
to reduce on-disk installed db size.
|
|
|
|
|
|
|
|
fixes #3371
|
|
Apk used to reset directory permissions always, but this is undesirable
if user has modified the permissions - especially during tmpfs boot.
Though, it is desirable to update the permissions when packaging has
changed permissions, or a new package is installed and the merged
permission mask / owner changes.
Thus the new code updates the permissions only if:
1) We are booting and directory is not in apkovl
2) The directory is modified by a package install/remove/upgrade
3) The filesystem directory permission matched database
Additionally "apk fix --directory-permissions" can be used to reset
all directory permissions to the database defaults.
Fixes #2966
|
|
Allows one arch index files to refer to other arch packages. Mostly
useful with noarch packages, but could be used e.g. to ship build
with some of packages optimized for specific cpu generation and
share most packages with the standard build.
|
|
It's real only if there's a package with actual dependency
(conflicts and install_if dependencies do not count).
|
|
allow packages in the cache's installed to be selected for installation
by the solver. add test case for the issue.
|
|
basically this makes packager's life simpler as there is no need
to list the subpkg names in replaces. this was also very error
prone and tedious job to do properly.
|
|
This implements a new protected path flag '!' to include always
matching entries in the backup mode (overlay). This is also turned
on for etc/apk to include everything there in overlay, because
the full list of repositories and signing keys need to be in
overlay - just getting them from a package is not enough during
bootstrap.
|
|
|
