Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.1.13 2020-12-10T14:40:08Z 2020-12-10T14:40:08Z Julian Andres Klode julian.klode@canonical.com 2020-12-08T10:52:26Z urn:sha1:07808e0d08e8e95e06b754f4c37665015b1045a7 We now have over 100k package names, my Ubuntu system has 125k arleady, so increase the hash table size to match, this will cost us about a MB in cache size, but give a very nice speed up somewhere around 3%-4% or so. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-05T18:55:30Z urn:sha1:df81895bce764dd02fbb4d67b92d28a730b5281f The integer overflow was detected by DonKult who added a check like this: (std::numeric_limits<decltype(Itm.Size)>::max() - (2 * sizeof(Block))) Which deals with the code as is, but also still is a fairly big limit, and could become fragile if we change the code. Let's limit our file sizes to 128 GiB, which should be sufficient for everyone. Original comment by DonKult: The code assumes that it can add sizeof(Block)-1 to the size of the item later on, but if we are close to a 64bit overflow this is not possible. Fixing this seems too complex compared to just ensuring there is enough room left given that we will have a lot more problems the moment we will be acting on files that large as if the item is that large, the (valid) tar including it probably doesn't fit in 64bit either. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-05T19:17:56Z urn:sha1:0444f9dd52c2bc7bec315f6f1ecad76a30713fa0 Like the code in arfile.cc, MemControlExtract also has buffer overflows, in code allocating memory for parsing control files. Specify an upper limit of 64 MiB for control files to both protect against the Size overflowing (we allocate Size + 2 bytes), and protect a bit against control files consisting only of zeroes. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-04T11:37:19Z urn:sha1:822db13d68658a1a20df2d19c688c18faa331616 Tarballs have long names and long link targets structured by a special tar header with a GNU extension followed by the actual content (padded to 512 bytes). Essentially, think of a name as a special kind of file. The limit of a file size in a header is 12 bytes, aka 10**12 or 1 TB. While this works OK-ish for file content that we stream to extractors, we need to copy file names into memory, and this opens us up to an OOM DoS attack. Limit the file name size to 1 MiB, as libarchive does, to make things safer. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-10-19T11:22:33Z urn:sha1:d10c68d628fe5342d400a999a6d10c5c7c0cef41 GHSL-2020-169: This first hunk adds a check that we have more files left to read in the file than the size of the member, ensuring that (a) the number is not negative, which caused the crash here and (b) ensures that we similarly avoid other issues with trying to read too much data. GHSL-2020-168: Long file names are encoded by a special marker in the filename and then the real filename is part of what is normally the data. We did not check that the length of the file name is within the length of the member, which means that we got a overflow later when subtracting the length from the member size to get the remaining member size. The file createdeb-lp1899193.cc was provided by GitHub Security Lab and reformatted using apt coding style for inclusion in the test case, both of these issues have an automated test case in test/integration/test-ubuntu-bug-1899193-security-issues. LP: #1899193 2020-12-07T14:11:20Z Julian Andres Klode julian.klode@canonical.com 2020-12-07T14:04:30Z urn:sha1:f9a621d335622a8909177f6d347e32e3876fde3f This allows patterns like ~nalpha~nbeta and ~nalpha!~nbeta to work like they do in APT. Also add a comment to remind readers that everything in START should be in short too. Cc: stable >= 2.0 2020-12-04T22:16:04Z Julian Andres Klode julian.klode@canonical.com 2020-12-04T22:16:04Z urn:sha1:d63772845a28a08ea9c812ad8ac281cf9e0ae12a The compiler does not know that the size is small and thinks we might be doing a stack buffer overflow of the vla: Add APT_ASSUME macro and silence -Wstringop-overflow in HexDigest() The compiler does not know that the size of a hash is at most 512 bit, so tell it that it is. ../apt-pkg/contrib/hashes.cc: In function ‘std::string HexDigest(gcry_md_hd_t, int)’: ../apt-pkg/contrib/hashes.cc:415:21: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 415 | Result[(Size)*2] = 0; | ~~~~~~~~~~~~~~~~~^~~ ../apt-pkg/contrib/hashes.cc:414:9: note: at offset [-9223372036854775808, 9223372036854775807] to an object with size at most 4294967295 declared here 414 | char Result[((Size)*2) + 1]; | ^~~~~~ Fix this by adding a simple assertion. This generates an extra two instructions in the normal code path, so it's not exactly super costly. 2020-11-06T09:51:06Z Julian Andres Klode julian.klode@canonical.com 2020-10-08T09:50:19Z urn:sha1:2b13473a9b9947f55a0871d146e4fee456b0af60 In LP#835625, it was reported that apt did not unpack multi-arch packages in the correct order, and dpkg did not like that. The fix also made apt configure packages together, which is not strictly necessary. This turned out to cause issues now, because of dependencies on libc6:i386 that caused immediate configuration of that to not work. Work around the issue by not configuring multi-arch: same packages in lockstep if they have the immediate flag set. This will be the pseudo-essential set, and given how essential works, we mostly need the native arch to work correctly anyway. LP: #1871268 Regression-Of: 30426f4822516bdd26528aa2e6d8d69c1291c8d3 2020-10-21T09:47:29Z Julian Andres Klode julian.klode@canonical.com 2020-10-21T09:47:29Z urn:sha1:998a17d7e6f834c341f198ca5b6df2f27e18df38 We are seeing more and more installations fail due to immediate configuration issues related to libc6. Immediate configuration is supposed to ensure that an essential package is configured immediately, just in case some other packages use a part of the essential package that only works if that package is configured. This used to be a warning, it was turned into an error in some commit I can't remember right now, but importantly, the error missed a return, which means that ordering completed succesfully and packages were being installed anyway; and after all that happened successfully, we'd print an error at the end and exit with an error code, which is not super useful. Revert the error back to a warning such that the behavior stays the same but we do not fail (unless we mess up ordering which then gets caught by a consistency check later on. Closes: #953260 Closes: #972552 LP: #1871268 2020-08-11T06:57:47Z Julian Andres Klode julian.klode@canonical.com 2020-08-11T06:56:39Z urn:sha1:626b7ccc8cec120f789ef89c2d5d28b8b6d67a04 If we have errors pending, always log them with our failure message to provide more context.