apt, branch 2.1.2 Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.1.2 2020-05-13T20:05:05Z Release 2.1.2, take 2 2020-05-13T20:05:05Z Julian Andres Klode julian.klode@canonical.com 2020-05-13T20:05:05Z urn:sha1:fb6366c55faff93bd7c897d2f299d38c4acf5e89 Fix location of testdeb in added regression tests 2020-05-13T20:04:13Z Julian Andres Klode julian.klode@canonical.com 2020-05-13T08:51:10Z urn:sha1:3368ae121112405259288c9139a300dc0cac31fe Release 2.1.2 2020-05-12T20:50:39Z Julian Andres Klode julian.klode@canonical.com 2020-05-12T09:58:00Z urn:sha1:7c9c2205c51211c0d0b815b7991fb5f9e3490341 SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810) 2020-05-12T16:55:55Z Julian Andres Klode julian.klode@canonical.com 2020-05-12T09:49:09Z urn:sha1:dceb1e49e4b8e4dadaf056be34088b415939cda6 When normalizing ar member names by removing trailing whitespace and slashes, an out-out-bound read can be caused if the ar member name consists only of such characters, because the code did not stop at 0, but would wrap around and continue reading from the stack, without any limit. Add a check to abort if we reached the first character in the name, effectively rejecting the use of names consisting just of slashes and spaces. Furthermore, certain error cases in arfile.cc and extracttar.cc have included member names in the output that were not checked at all and might hence not be nul terminated, leading to further out of bound reads. Fixes Debian/apt#111 LP: #1878177 Dutch program translation update 2020-05-10T16:37:35Z Frans Spiesschaert Frans.Spiesschaert@yucom.be 2020-05-10T16:37:35Z urn:sha1:3e7ffa3c1e1afde99182fd4cc91b5536ed8a11da Closes: #960186 Release 2.1.1 2020-05-08T16:03:47Z Julian Andres Klode julian.klode@canonical.com 2020-05-08T16:02:59Z urn:sha1:234fc02515642a1c9301a94d87b149d8a92fae7a Use "po4a --porefs file" instead of undocumented compat noline 2020-05-08T14:38:20Z David Kalnischkies david@kalnischkies.de 2020-05-08T14:38:20Z urn:sha1:fd47da4e86f0177c142c882a4bd148cf562769a3 References: https://github.com/mquinson/po4a/commit/329f472a378d42c7a33e8110e5091be61480a0fc Drop nowrap from po4a --porefs as it is no longer supported 2020-05-08T14:34:36Z David Kalnischkies david@kalnischkies.de 2020-05-08T14:34:36Z urn:sha1:94ea8e66ca6d2794943aca659a53dd074bb9e4d0 Upstream says it had no effect before, so it seems safe to adapt. References: https://github.com/mquinson/po4a/commit/ac1e97305b6073ed87fa8cf0a2e32f9b1255d0f1 Fix typo in Polish translation of --help messages 2020-05-08T14:19:55Z Artur Grącki arteq@arteq.org 2020-05-08T14:15:58Z urn:sha1:d0e46fe7e8562953ced76fe938fb5ff1f0774be7 Also translating two related strings along the way. References: https://github.com/Debian/apt/pull/107 Allow aptitude to MarkInstall broken packages via FromUser 2020-05-08T13:52:14Z David Kalnischkies david@kalnischkies.de 2020-05-08T10:38:02Z urn:sha1:30fa50e8d593556553147478a2d5ea7a550f9e16 apt marks packages coming from the commandline among others as protected to ensure the various resolver parts do not fiddle with the state of these packages. aptitude (and potentially others) do not so the state is modified (to a Keep which for uninstalled means it is not going to be installed) due to being uninstallable before the call fails – basically reverting at least some state changes the call made before it realized it has to fail, which is usually a good idea, except if users expect you to not do it. They do set the FromUser option though which has beside controlling autobit also gained the notion of "the user is always right" over time and can be used for this one here as well preventing the state revert. References: 0de399391372450d0162b5a09bfca554b2d27c3d Reported-By: Jessica Clarke <jrtc27@debian.org> on IRC