Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.4.3 2017-03-19T13:32:59Z 2017-03-19T13:32:59Z David Kalnischkies david@kalnischkies.de 2017-03-19T12:53:33Z urn:sha1:2ce15bdeac6ee93faefd4b42b57f035bef80c567 In the intended usecase where this serves as a hack there is no problem with double/single quotes being present as we write it to a log file only, but nowadays our calling of apt-key produces a temporary config file containing this "setting" as well and suddently quoting is important as the config file syntax is allergic to it. So the fix is to ignore all quoting whatsoever in the input and just quote (with singles) the option values with spaces. That gives us 99% of the time the correct result and the 1% where the quote is an integral element of the option … doesn't exist – or has bigger problems than a log file not containing the quote. Same goes for newlines in values. LP: #1672710 2017-02-11T21:17:08Z Julian Andres Klode jak@debian.org 2017-02-11T21:17:08Z urn:sha1:25f54c960d7a4ceca7bd3e21f87baf48d6cbc2d3 -1 is not an allowed value for the file descriptor, the only allowed non-file-descriptor value is AT_FDCWD. So use that instead. AT_SYMLINK_NOFOLLOW has a weird semantic: It checks whether we have the specified access on the symbolic link. It also is implemented only by glibc on Linux, so it's inherently non-portable. We should just drop it. Thanks: James Clarke for debugging these issues Reported-by: James Clarke <jrtc27@jrtc27.com> 2017-01-27T20:06:09Z David Kalnischkies david@kalnischkies.de 2017-01-27T11:30:13Z urn:sha1:2f8f58512dbb478f23149b57d33f788c26c04445 Config options are checked in various paths, so making "useless" memory allocations wastes time and can also cause problems like #852757. The unneeded malloc was added in ae73a2944a89e0d2406a2aab4a4c082e1e9da3f9. (We have no explicit malloc here – its std:string doing this internally) 2017-01-19T14:59:38Z David Kalnischkies david@kalnischkies.de 2017-01-19T14:14:19Z urn:sha1:93cff633a830e222693fc0f3d78e6e534d1126ee Most of them in (old) code comments. The two instances of user visible string changes the po files of the manpages are fixed up as well. Gbp-Dch: Ignore Reported-By: spellintian 2017-01-19T14:59:38Z David Kalnischkies david@kalnischkies.de 2017-01-19T12:41:25Z urn:sha1:99b1cdd3a07576542c8bda40d93368f3f76db912 Nothing in user visible strings. Gbp-Dch: Ignore Reported-By: codespell 2017-01-16T23:07:09Z Julian Andres Klode jak@debian.org 2017-01-16T23:07:09Z urn:sha1:c5b8afab0f409b06a63599ff1c5acb433f3957d4 Thanks: James Clarke <jrtc27@jrtc27.com> for the implementation Gbp-Dch: ignore 2016-12-31T17:24:12Z David Kalnischkies david@kalnischkies.de 2016-12-31T17:24:12Z urn:sha1:ae73a2944a89e0d2406a2aab4a4c082e1e9da3f9 The idea is simple: Each¹ Find*( call starts with a call check if the given option (with the requested type) exists in the whitelist. The whitelist is specified via our configure-index file so that we have a better chance at keeping it current. the whitelist is loaded via a special (undocumented for now) configuration stanza and if none is loaded the empty whitelist will make it so that no warnings are shown. Much needs to be done still, but that is as good a time as any to take a snapshot of the current state and release it into the wild given that it found some bugs already and has no practical effect on users. ¹ not all in this iteration, but many 2016-12-31T01:29:19Z David Kalnischkies david@kalnischkies.de 2016-12-16T18:50:48Z urn:sha1:6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3 Clearsigned files like InRelease, .dsc, .changes and co can potentially include unsigned or additional messages blocks ignored by gpg in verification, but a potential source of trouble in our own parsing attempts – and an unneeded risk as the usecases for the clearsigned files we deal with do not reasonably include unsigned parts (like emails or some such). This commit changes the silent ignoring to warnings for now to get an impression on how widespread unintended unsigned parts are, but eventually we want to turn these into hard errors. 2016-12-08T14:19:30Z Julian Andres Klode jak@debian.org 2016-12-06T08:35:11Z urn:sha1:6212ee84a517ed68217429022bd45c108ecf9f85 This is a follow up to the previous issue where we did not check if getline() returned -1 due to an end of file or due to an error like memory allocation, treating both as end of file. Here we ensure that we also handle buffered writes correctly by flushing the files before checking for any errors in our error stack. Buffered writes themselves were introduced in 1.1.9, but the function was never called with a buffered file from inside apt until commit 46c4043d741cb2c1d54e7f5bfaa234f1b7580f6c which was first released with apt 1.2.10. The function is public, though, so fixing this is a good idea anyway. Affected: >= 1.1.9 2016-12-08T14:19:21Z Julian Andres Klode jak@debian.org 2016-12-05T22:01:25Z urn:sha1:51be550c5c38a2e1ddfc2af50a9fab73ccf78026 This fixes a security issue where signatures of the InRelease files could be circumvented in a man-in-the-middle attack, giving attackers the ability to serve any packages they want to a system, in turn giving them root access. It turns out that getline() may not only return EINVAL as stated in the documentation - it might also return in case of an error when allocating memory. This fix not only adds a check that reading worked correctly, it also implicitly checks that all writes worked by reporting any other error that occurred inside the loop and was logged by apt. Affected: >= 0.9.8 Reported-By: Jann Horn <jannh@google.com> Thanks: Jann Horn, Google Project Zero for reporting the issue LP: #1647467