Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.3.1 2021-04-13T14:00:41Z 2021-04-13T14:00:41Z Julian Andres Klode julian.klode@canonical.com 2021-04-09T16:11:02Z urn:sha1:27a4fb3a9ac67a13ed516c75feefdc1fd426520a The maximum request size is accidentally set to any sized file, so if an unsized file is present, and it turns out to be larger than the maximum size we set, we'd error out when checking if its size is smaller than the maximum request size. LP: #1921626 2021-03-06T14:02:26Z David Kalnischkies david@kalnischkies.de 2021-03-06T14:02:26Z urn:sha1:9bd27033c4786fa89cebc9d090ad2c6e8f47b598 There isn't a lot of sense in working on empty patches as they change nothing (quite literally), but they can be the result of merging multiple patches and so to not require our users to specifically detect and remove them, we can be nice and just ignore them instead of erroring out. 2021-02-04T10:00:00Z David Kalnischkies david@kalnischkies.de 2020-06-28T18:59:27Z urn:sha1:3e53dbbe758a4e2da378ebf0296d8105d4a5804c We use the code in error messages, so at least for that edgecase we should ensure that it has sensible content. Note that the acquire system aborts on non-sensible message content in SendMessage, so you can't really exploit this. 2021-02-04T10:00:00Z David Kalnischkies david@kalnischkies.de 2020-06-28T18:52:09Z urn:sha1:96dc40b19623621a9cc2c5541fb3adbbceb553b1 varg API is a nightmare as the symbols seems different on ever other arch, but more importantly SendMessage does a few checks on the content of the message and it is all outputted via C++ iostreams and not mixed in FILE* which is handy for overriding the streams. 2021-02-04T10:00:00Z David Kalnischkies david@kalnischkies.de 2021-02-03T16:50:05Z urn:sha1:35af71bc026d85aef4af979aa247e837d91dfc1c The rest of our code uses return-code errors and it isn't that nice to crash the rred method on bad patches anyway, so we move to properly reporting errors in our usual way which incidently also helps writing a fuzzer for it. This is not really security relevant though as the patches passed hash verification while they were downloaded, so an attacker has to overtake a trusted repository first which gives plenty better options of attack. 2020-12-22T23:54:14Z Faidon Liambotis paravoid@debian.org 2020-12-22T23:54:14Z urn:sha1:1663774bf309fbd196fd2b9c5c2afdd7a25fd288 The "last connection" cache is currently being stored and looked up on the combination of (LastHost, LastPort). However, these are not what the arguments to getaddrinfo() were on the first try: the call is to getaddrinfo(Host, ServiceNameOrPort, ...), i.e. with the port *or if 0, the service name* (e.g. http). Effectively this means that the connection cache lookup for: https://example.org/... i.e. Host = example.org, Port = 0, Service = http would end up matching the "last" connection of (if existed): https://example.org/... i.e. Host = example.org, Port = 0, Service = https ...and thus performing a TLS request over an (unrelated) port 80 connection. Therefore, an HTTP request, followed up by an (unrelated) HTTPS request to the same server, would always fail. Address this by using as the cache key the ServiceNameOrPort, rather than Port. 2020-12-22T23:51:50Z Faidon Liambotis paravoid@debian.org 2020-12-22T23:51:50Z urn:sha1:8d4b3a4fcead0ca534b5d1c5a99ae2a4c95eee21 Convert the fixed-size (300) char array "ServStr" to a std::string, and simplify the code by removing snprintfs in the process. While at it, rename to the more aptly named "ServiceNameOrPort" and update the comment to reflect what this variable is meant to be. 2020-12-22T23:23:22Z Faidon Liambotis paravoid@debian.org 2020-12-22T23:23:22Z urn:sha1:570861fc55ba38c1092fac1d555111bab4577b49 ServerState->Comp() is used by the HTTP methods main loop to check whether a connection can be reused, or whether a new one is needed. Unfortunately, the currently implementation only compares the Host and Port between the ServerState's internal URI, with a new URI. However these are URIs, and therefore Port is 0 when a URI port is not specificied, i.e. in the most common configurations. As a result, a ServerState for http://example.org/... will be reused for URIs of the form https://example.org/..., as both Host (example.org) and Port (0) match. In turn this means that GET requests will happen over port 80, in cleartext, even for those https URLs(!). URI Acquires for an http URI and subsequently for an https one, in the same aptmethod session, do not typically happen with apt as the frontend, as apt opens a new pipe with the "https" aptmethod binary (nowadays a symlink to http), which is why this hasn't been a problem in practice and has eluded detection so far. It does happen in the wild with other frontends (e.g. reprepro), plus is legitimately an odd and surprising behavior on apt's end. Therefore add a comparison for the URI's "Access" (= the scheme) in addition to Host and Port, to ensure that we're not reusing the same state for multiple different schemes. 2020-12-18T18:31:19Z David Kalnischkies david@kalnischkies.de 2020-07-09T22:02:25Z urn:sha1:97d6c3b2d05fe0d965657197adf56cc78f9edf81 Every method opts in to getting the encoded URI passed along while keeping compat in case we are operated by an older acquire system. Effectively this is just a change for the http-based methods as the others just decode the URI as they work with files directly. 2020-11-07T21:52:20Z David Kalnischkies david@kalnischkies.de 2020-11-07T21:52:20Z urn:sha1:e5bb443cf58cec23503ad0deeeb06a080053da8a