| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
|
|
This reduces function pointers in heap, and unifies how the
io functions are called.
|
|
preserve [am]time for all packages and indexes. this fixes the caching
error that 'apk update' is after new index is generated, but before
the used mirror is synchronized. this caused local apkindex timestamp
to be newer than file in mirror, when in fact it was outdated index.
this also fixes fetched files to have build timestamp so that files
going to .iso or custom images have proper timestamps (rsync with
appropriate --modify-window now works)
|
|
|
|
|
|
|
|
|
|
The boundary callback should not happen until all the uncompressed
data has been consumed. This previously seems to have worked
because normally gzip library returns "no error" instead of the
"stream end" if we extract exactly the amount of bytes remaining
in the archive. (Perhaps this was changed in new zlib.) In any
case, verification was broken with some apks due to this callback
ordering issue.
|
|
* prunes the child pid to avoid zombies
* handles the errors so e.g. file-not-found is reported properly
|
|
also have the output stream support writing to temporary file
and do renameat/unlinkat on close depending on if all writes
succeeded or not.
|
|
smaller callback and less cases to check. also reintroduce the
oneshot digest flag, hopefully correct this time.
|
|
|
|
- extract everything as .apk-new and overwrite only after data
has been checksummed
- url construction fixes (to work with simple http servers)
- end of gunzip stream fixed
- remove oneshot digesting flag for now as it's usage was broken
|
|
|
|
|
|
the unflushed data when closing file can be several thousand kiloes,
loop until all is written out.
|
|
speeds up digest calculation on some cases.
|
|
that got broke during verify implementation.
|
|
change the index generation to do old index, or the new style index
where package identity is sha1 of control block and it's contained
within an .tar.gz to allow signing in future.
|
|
|
|
some fixes on index reading code too.
|
|
in future we want to checksum on gzip boundary basis, not the
full file.
|
|
allow .apk to consist of multiple separate gzip streams which
are just concatenated together.
|
|
|
|
|
|
|
|
Checksum of installed is computed on the fly when extracting them
and it'll be saved to fdb. When installing config files those are
diverted with suffix .apk-new if earlier version of same file with
local changes exist.
|
|
|
