| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 6484ed9849f03971eb48ee1fdc21a2f128247eb1)
|
|
Most applets return whatever apk_solver_commit() returns. It is the
number of errors found (or negative for hard error). Sanitize the
error value to not give false success exit code in the unlikely case
of errors % 256 == 0.
Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 7b654e125461b00bc26e52b25e6a7be3a32c11b9)
(cherry picked from commit 7c90fd0529c0358dd04cab0fce506e8a8b191506)
|
|
(cherry picked from commit 1d55b9488f2d9c6d367fa7f21b058466c24f3ad1)
|
|
(cherry picked from commit 2f3c8420493a731556909eb3ebd6d50478fb7b24)
|
|
(cherry picked from commit ca368916e0333bf24cdcbdbe42130ec6a92c3f6e)
|
|
Detect properly if the file stream gets an error during these
read operations.
Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit cd531aef3033475c26f29a1f650a3bf392cc2daa)
|
|
The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.
Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
|
|
It is unreasonable to assume that all package writers would except
to reset umask themselves. It's done currently in most packages,
but we had first issue of this kind recently, so better just reset
umask.
|
|
trigger it only if apk-tools can be upgrade, add test cases
|
|
|
|
|
|
|
|
print license with the --license option.
|
|
Make it possible to individually override openssl, zlib and libfetch
cflags and linker flags. This makes it possible to build apk-tools
without having pkg-config installed.
|
|
fixes #5656
|
|
it's only used to speed up things, and having it non-existant
is not a fatal error - all included things in index will be
passed in command line anyway
|
|
|
|
|
|
|
|
which will delete any .apk package on output directory that were
not downloaded by fetch
this allows apk fetch to incrementally build repositories for
binary images
|
|
don't overwrite the link_target if it was found from pax header.
ref #5076
|
|
- self-conflicts when the exact same version of a name is provided
twice is now properly detected and diagnozed
- don't print redundant satisfies diagnostic
|
|
|
|
Implement --no-cache. The index is read directly from network and not
cached. This is useful for docker, where you install a set of packages
and directly after purge the cache. (see
https://github.com/gliderlabs/docker-alpine/blob/1fc9e59d1689fc4eaf930ec66389fe58062fccec/builder/scripts/apk-install)
fixes #4905
|
|
|
|
|
|
preserve [am]time for all packages and indexes. this fixes the caching
error that 'apk update' is after new index is generated, but before
the used mirror is synchronized. this caused local apkindex timestamp
to be newer than file in mirror, when in fact it was outdated index.
this also fixes fetched files to have build timestamp so that files
going to .iso or custom images have proper timestamps (rsync with
appropriate --modify-window now works)
|
|
fixes #4770
apk_name_foreach_matching() can matches each package via it's
main name and all it's provides. Print matched packages only once.
|
|
We need fall back to a splice buffer if posix_fallocate call fails due
to file being a device (eg tty) or a pipe. This fixes apk fetch --stdout.
|
|
|
|
|
|
ftruncate does not allocate it, and subsequent access to mmaped
file will result in SIGBUS. this fixes to properly report disk
full errors.
|
|
the problem is that var/lock is on root installs symlink to /run/lock
(on tmpfs) and does not exist if doing chroot() to that root. fixes
apk to work when chrooted to existing rootfs install.
|
|
fixes #4261
|
|
|
|
|
|
so valgrind does not report any leaks
|
|
|
|
|
|
it's a hot path for decoding checksums in fdb
|
|
it is more efficient than the previously used djb hash
|
|
resolve reverse dependencies after all packages have been loaded,
and avoid traversing the reverse name lists. now that we use
automatic virtual packages (soname, pkg-config, etc.) the reverse
dependency chains can become considerable longer than what it was
when the rdependency construction code was originally written.
|
|
|
|
commit 941fc1b1 uncovered a bug that directory permissions are
not updated properly at db load time if it's the default acl.
|
|
In practice this should fix to e.g. not wipe out /etc/apk/world if
final flush to /etc/apk/world.new fails.
This was prompted by an incident the other day where I ran the root
partition of an Alpine box out of space using 'apk add', and apk
helpfully wiped the contents of /etc/apk/world at the same time.
It might be tricky to try to reproduce exactly the same failure,
but from an examination of the code, setting 'rc' before the final
call to fdo_flush rather than after is one possible cause of this
behavior. (If the entire contents of /etc/apk/world.new are buffered,
and all get written out in the final fdo_flush call, and that call
fails, fdo_close will still happily rename /etc/apk/world.new to
/etc/apk/world.)
|
|
the security implications are not as high as compared to regular
tar/unzip archiver. this is because you are anyway trusting
the package to install files anywhere in the filesystem.
this serves rather as a sanity to check against errors in created
package.
|
|
the allows update-kernel script to work on tmpfs install before
cache is configured.
|
|
forgot to --amend my changes
|
|
fetch_maperror() translates error codes returned by libfetch to our error
codes. Handle those in apk_error_str(), returning error messages which
advise the user of the most likely fix.
A custom error code, EAPKSTALEINDEX, has been added for cases where
retrieving a package fails due to a HTTP error 404 or similar.
[TimoT: add also EAPKBADURL, as well as organize a bit better where the
EAPKSTALEINDEX is generated]
|
|
According to the C standards, uint32_t is defined in stdint.h.
Presumably apk is usually built against C libraries where
stdint.h is indirectly included through another header file,
but this isn't the case with the version of glibc which I am using.
|
