| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
While commit 18b0b45 (io: Handle long lines, Thu Jan 7 17:25:23 2021
+0100) did attempt to address this issue, the buffer really is still to
small when dealing with big-big dependency lists.
Lets make it sufficiently large for now, until the new APKINDEX format
can support multi-line dependencies, making this not needed any more.
[TT: Originally the buffer size was conservative to run on resource
constrained embedded platforms. But since the available memory on those
has also increased much, the adjustment to 128kB makes sense also to
increase performance a little bit. Backported to 2.10-stable.]
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
|
|
Packages containing files with path names longer than 1024 characters
cannot fit into the buffer which is used to write "installed" database.
This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because
apk_blob_push_blob notices the condition and correctly handles it.
The problem occurs when arguments to apk_ostream_write are manually
calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a
case, bbuf.ptr - buf leads to a huge size value while buf still points
into the stack.
fixes #10751
[TT: minor edit to commit and abbreviating the commit message]
|
|
|
|
|
|
The progress bar requires the terminal emulator to support ANSI escape
sequences. Normally, TERM is set to dumb to indicate that the terminal
emulator doesn't support any ANSI escape sequences. Attempting to use
ANSI escape sequences on dumb terminals will lead to weird output. In
order to make apk work by default, even on dumb terminals, this commit
introduces an additional check which consults $TERM and disables the
progress bar if it is set to "dumb".
[TT: backported to 2.12]
|
|
The original intent was to choose packages to which there is most
dependencies. However, since the code has evolved this is has been
mostly obsolete. And in fact now interferes with the provides and
provides priority mechanism. Remove this as obsolete.
Fixes #10742
|
|
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
|
|
apk_dir_foreach_file and apk_resolve_[ug]id needs to free the fd in
case fdopen/fdopendir fails. Additionally this does not rely on fdopen
to fail if openat() returned -1, making sure that we don't call any
syscalls with invalid file handle.
(cherry picked from commit 3c339a74d1b9dba23d60d6c769d99227d75cc6dc)
|
|
If we use default root (/), then we do not have to chroot to run scripts.
Use APK_NO_CHROOT flag for this scenario to avoid the chroot. This helps
with using apk with bwrap and OSTree.
Closes #10736.
[TT: backported to 2.12-stable]
(cherry picked from commit 73504fb7ab2bb659660dae7e1cafab0cfedeb13d)
|
|
The code assumed that when package is in world, it would be there
by it's primary name. The code is now updated to properly print the
package names that are actually present in world.
fixes #10718
(cherry picked from commit ff0ea8265f0621995b94b69416e2a1709f1cbec6)
|
|
fixes #10737
(cherry picked from commit ab7b8e3c995eb5a05ddbaa4546cd16a10da2d836)
|
|
Especially a newline can produce havoc in the database file as
the filename is written there as-is. This hardenes the extraction
to consider any control character as malicious. Additional
hardening is added to database loading to better detect corrupt
state and return proper error code about it.
Reported-by: Luca Weiss <luca@z3ntu.xyz>
(backported from commit c1594f60770483625891541375a074fe07338401)
|
|
(cherry picked from commit 3890035c21e40aca7d5360bfc40e4b7ab9f10c50)
|
|
On some systems the `/var/` dir is mounted in a tmpfs which is reseted
after each reboot. For that reason no post-install script can handle the
creation of the cache dir at `/var/cache/apk`.
Check on database opnening if the folder is available, if not create it.
Fixes #10715
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit dac30d50497214c8722a57ee1ae8d3c369babe38)
|
|
fixes #10710
(cherry picked from commit 6cedfe27ac566e7de7d0c24778c4280e8311bbec)
|
|
fixes #10703
(cherry picked from commit 8a794021c42baf8e1c12ae5e8e8313b66443002e)
|
|
(cherry picked from commit c269e9c24da57ab1b69ad6c80e9a1cb52b2b67d2)
|
|
Fixes #10686 to not use uninitialized value in the error paths.
(cherry picked from commit 7b76182f39c4b42f4bb498b7cc75384a36afd855)
|
|
Some screen size are quite small. For example, the default phosh
terminal is less than 50 character wide on Pinephone. This lowers the minimum
loading bar size to 25 characters.
For comparison, 25 character wide is just as wide as "apk add firefox
linux-lts" without the quotes.
Here's a bad picture to illustrate the result
gitlab.alpine.org/uploads/48c20f746fbf685b62b6bd73585ecbf2/pinephone-phosh.png
(cherry picked from commit e8522411c1b410c87049e9b77b391caf2f158be7)
|
|
fixes #10677
src/apk_defines.h:152:15: error: unknown type name 'uint32_t'
static inline uint32_t get_unaligned32(const void *ptr)
^~~~~~~~
(cherry picked from commit a9916c2d4a14a509daf7e3bc73faee3a8134071f)
|
|
(cherry picked from commit c054fbc11e9beca0d45285c3e1f448c81416c5ce)
|
|
- do not do unaligned accesses on non-x86 hardware
- clean up the code a little bit
(cherry picked from commit 3694dc5fa2660e2b241d706ec1672beb0a9c24b8)
|
|
Related to MR !15
(cherry picked from commit d60477751f374a2d58dc73f64dca4ff95ea39a00)
|
|
Instead, to make sure test mode produces same output, redefine
time() for the test mode binary.
Reverts parts of 0b82bcc53e60.
(cherry picked from commit 45d313c51cbae20bce0789db86ba82ff79c9b202)
|
|
(cherry picked from commit 6fae74e1daeb59f789456dcc816b089e601809fd)
|
|
The non-wildcard version of the function is case-sensitive anyway.
(cherry picked from commit 7e2e440d4c7c51bff3ffb83ad3fd29d7b6088e32)
|
|
(cherry picked from commit 3cd7d1e077ad945dfe789a6e2a337ec8849fc342)
|
|
(cherry picked from commit e39334e44f723b0a1d1036f354c5d8f5d0a12377)
|
|
Fixes #8360
|
|
|
|
This reverts commit d379edd5bf960de8089b9f2083fc6f14b79e7bba.
Requested multiple times. Let's enable this for now. For v3.0,
we reconsider which applets to keep and remove the ones not needed.
|
|
Fixes #10662
|
|
|
|
|
|
When unpacking a file that is in root, it got a temporary file
name /.apk... however if the --root option was used it should
have the name root/.apk... otherwise unpacking will fail if the
user does not have write access to /.
Signed-off-by: Fredrik Gustafsson <fredrigu@axis.com>
|
|
|
|
Since 37fbafcd928c466c82c892a7868d686d710e5d07 the tests hasn't worked
since a string on the stack was added as version for a virtual package.
Instead create the version string on the heap and then simply leak it.
A short running program as apk shouldn't need to worry about memory
leaks.
|
|
Fixes 37fbafcd by adding more input to the hash than just second
grained time stamp - collisions would happen when running apk
scripted.
For virtual package the hash works only as unique identifier, so
try to add elements that should make it unique in most cases.
Fixes #10648
|
|
Add also some testing to make sure help, long help and handling
of invalid arguments works as expected.
Based on pull request #19 originally by Laurent Arnoud (@spk).
|
|
The return -1 seems to have been left over from earlier code, and
could have been treated as -EPERM. This helps to fix the other command
line handling that potentially require changing.
|
|
Notably this fixes occasional issues when doing upgrade with multiple
versions of same packages. Without this the upgrade flag is not always
propagated properly down the dependency chain.
|
|
fixes test suite regression from previous commit
|
|
Originally the virtual packages could have dependencies added to it.
However, commit b06e3b99 broke this behaviour to fix error reporting.
The root cause however was that the virtual depedency package was not
properly versioned.
This fixes to use current date/time as the package version, and
constructs the "faked" package hash from it. This effectively makes
"add -t virtpkg deps.." replace the dependencies which should be the
desired behaviour for "abuild deps".
'world' dependency to the generated virtual package is also now
versioned to make sure it get's upgraded.
|
|
|
|
BIT(1) corresponds with decimal 2, which is the first available repository.
Before this fix, `apk list -O` would list every package installed from the
first available repository, which is the 'system' repository on most Adélie
Linux computers.
After this fix, `apk list -O` correctly lists only the packages which are
no longer available.
|
|
error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
Based on patch by Elan Ruusamäe <glen@delfi.ee>
|
|
|
|
Give error message for `apk fetch --recursive missing`
|
|
This reverts commit 358f703b76ece639e5d3634f677e0b345b1b9f89.
The short option -s conflicts info --size and fetch --stdout.
Revert this for now.
|
|
|
