summaryrefslogtreecommitdiff
path: root/apt-pkg
Commit message (Collapse)AuthorAgeFilesLines
* Add explicit message for unsupported binary signatureDavid Kalnischkies2019-03-031-2/+16
| | | | | | | | | | | | | | | | | | | | | | | Verifying the content of Release.gpg made us fail on binary signatures which were never officially supported (apt-secure manpage only documents only the generation of ASCII armored), but silently accepted by gpgv as we passed it on unchecked before. The binary format is complex and is itself split into old and new formats so adding support for this would not only add lots of code but also a good opportunity for bugs and dubious benefit. Reporting this issue explicitly should help repository creators figure out the problem faster than the default NODATA message hinting at captive portals. Given that the binary format has no file magic or any other clear and simple indication that this is a detached signature we guess based on the first two bits only – and by that only supporting the "old" binary format which seems to be the only one generated by gnupg in this case. References: e2965b0b6bdd68ffcad0e06d11755412a7e16e50 Closes: #921685
* Fix various typos in the documentationJakub Wilk2019-02-101-1/+1
|
* Use std::to_string() for HashStringList::FileSize() getterJulian Andres Klode2019-02-041-3/+1
| | | | | | | | This slightly improves performance, as std::to_string() (as in gcc's libstdc++) avoids a heap allocation. This is surprisingly performance critical code, so we might want to improve things further in 1.9 by manually calculating the string - that would also get rid of issues with locales changing string formatting, if any.
* Detect function multiversioning and sse4.2/crc32, enables i386Julian Andres Klode2019-02-041-2/+6
| | | | | This fixes the build on kfreebsd-amd64, and due to the detection of sse4.2, should also enable the sse4.2 on i386.
* gpgv: Use buffered writes for splitting clearsigned filesJulian Andres Klode2019-02-043-2/+13
| | | | | | This is safe here, as the code ensures that the file is flushed before it is being used. The next series should probably make GetTempFile() buffer writes by default.
* Merge branch 'pu/dead-pin' into 'master'Julian Andres Klode2019-02-046-7/+83
|\ | | | | | | | | A pin of -32768 overrides any other, disables repo See merge request apt-team/apt!40
| * Add a Packages-Require-Authorization Release file fieldJulian Andres Klode2019-02-016-4/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource.
| * Introduce experimental 'never' pinning for sourcesJulian Andres Klode2019-02-011-3/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows disabling a repository by pinning it to 'never', which is internally translated to a value of -32768 (or whatever the minimum of short is). This overrides any other pin for that repository. It can be used to make sure certain sources are never used; for example, in unattended-upgrades. To prevent semantic changes to existing files, we substitute min + 1 for every pin-priority: <min>. This is a temporary solution, as we are waiting for an ABI break. To add pins with that value, the special Pin-Priority "never" may be used for now. It's unclear if that will persist, or if the interface will change eventually.
* | Merge branch 'pu/refuseunsignedlines' into 'master'Julian Andres Klode2019-02-013-182/+279
|\ \ | | | | | | | | | | | | Fail if InRelease or Release.gpg contain unsigned lines See merge request apt-team/apt!45
| * | Drop buffered writing from clearsigned message extractionDavid Kalnischkies2019-02-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is dropped in the merged code, but the extraction of the clearsigned message code was the only one who had it previously, so the short-desc explains the change from a before-after merge of the branch PoV. It would make sense to enable it, but as we aren't in a time critical paths here we can delay this for after buster to avoid problems. References: 73e3459689c05cd62f15c29d2faddb0fc215ef5e Suggested-By: Julian Andres Klode
| * | Avoid boolean flags by splitting writeTo functionsDavid Kalnischkies2019-02-011-14/+20
| | | | | | | | | | | | | | | Suggested-By: Julian Andres Klode Gbp-Dch: Ignore
| * | Reuse APT::StringView more in LineBufferDavid Kalnischkies2019-01-291-32/+9
| | | | | | | | | | | | | | | | | | | | | No effective change in behaviour, just simplifying and reusing code. Suggested-By: Julian Andres Klode Gbp-Dch: Ignore
| * | Rework ifs to use not instead of == false/trueDavid Kalnischkies2019-01-291-54/+66
| | | | | | | | | | | | | | | | | | | | | | | | No change in the logic itself, just dropping "== true", replacing "== false" with not and moving lines around to make branches more obvious. Suggested-By: Julian Andres Klode Gbp-Dch: Ignore
| * | Refuse files with lines unexpectedly starting with a dashDavid Kalnischkies2019-01-281-9/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We support dash-encoding even if we don't really work with files who would need it as implementations are free to encode every line, but otherwise a line starting with a dash must either be a header we parse explicitly or the file is refused. This is against the RFC which says clients should warn on such files, but given that we aren't expecting any files with dash-started lines to begin with this looks a lot like a we should not continue to touch the file as it smells like an attempt to confuse different parsers by "hiding" headers in-between others. The other slightly more reasonable explanation would be an armor header key starting with a dash, but no existing key does that and it seems unlikely that this could ever happen. Also, it is recommended that clients warn about unknown keys, so new appearance is limited.
| * | Use more abstraction to handle the current line bufferDavid Kalnischkies2019-01-281-83/+133
| | | | | | | | | | | | | | | | | | | | | This is C++, so we can use a bit more abstraction to let the code look a tiny bit nicer hopefully improving readability a bit. Gbp-Dch: Ignore
| * | Explicitly remove the whitespaces defined by RFCDavid Kalnischkies2019-01-281-4/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC 4880 section 7.1 "Dash-Escaped Text" at the end defines that only space and tab are allowed, so we should remove only these even if due to use complaining (or now failing) you can't really make use of it. Note that strrstrip was removing '\r\n\t ', not other whitespaces like \v or \f and another big reason to do it explicitly here now is to avoid that a future change adding those could have unintended consequences.
| * | Merge and reuse tmp file handling across the boardDavid Kalnischkies2019-01-243-62/+33
| | | | | | | | | | | | | | | | | | Having many rather similar implementations especially if one is exported while others aren't (and the rest of it not factored out at all) seems suboptimal.
| * | Fail on non-signature lines in Release.gpgDavid Kalnischkies2019-01-231-20/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can contain additional content beside the expected detached signature(s). We were passing the file unchecked to gpgv which ignores these extras without complains, so we reuse the same line-reading implementation we use for InRelease splitting to detect if a Release.gpg file contains unexpected data and fail in this case given that we in the previous commit we established that we fail in the similar InRelease case now.
| * | Fail instead of warn for unsigned lines in InReleaseDavid Kalnischkies2019-01-231-106/+99
| |/ | | | | | | | | | | | | | | | | | | | | | | The warnings were introduced 2 years ago without any reports from the wild about them actually appearing for anyone, so now seems to be an as good time as any to switch them to errors. This allows rewritting the code by failing earlier instead of trying to keep going which makes the diff a bit hard to follow but should help simplifying reasoning about it. References: 6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3
* | Step over empty sections in TagFiles with commentsDavid Kalnischkies2019-02-011-2/+6
| | | | | | | | | | | | | | | | Implementing a parser with recursion isn't the best idea, but in practice we should get away with it for the time being to avoid needless codechurn. Closes: #920317 #921037
* | Merge branch 'pu/verify-method-messages-2' into 'master'Julian Andres Klode2019-01-311-0/+31
|\ \ | | | | | | | | | | | | Verify data being sent by methods in SendMessage() See merge request apt-team/apt!48
| * | Verify data being sent by methods in SendMessage()Julian Andres Klode2019-01-301-0/+31
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As a follow-up for CVE-2019-3462, add checks similar to those for redirect to the central SendMessage() function. The checks are a bit more relaxed for values - they may include newlines and unicode characters (newlines get rewritten, so are safe). For keys and the message header, the checks are far more strict: They may only contain alphanumerical characters, the hyphen-minus, and the horizontal space. In case the method tries to send anything else, we construct a legal 400 URI Failed response, and send that. We specifically do not include the item URI, in case it has been compromised (that would cause infinite recursion).
* / Disable deprecated methods (ftp, rsh, ssh) by defaultJulian Andres Klode2019-01-311-0/+2
|/ | | | | | | These methods are not supposed to be used anymore, they are not actively maintained and may hence contain odd bugs. Fixes !49
* Merge branch 'pu/gpgvsignedby' into 'master'Julian Andres Klode2019-01-222-4/+17
|\ | | | | | | | | Report keys used to sign file from gpgv method to acquire system See merge request apt-team/apt!44
| * Communicate back which key(s) were used for signingDavid Kalnischkies2019-01-222-4/+17
| | | | | | | | | | | | | | Telling the acquire system which keys caused the gpgv method to succeed allows us for now just a casual check if the gpgv method really executed catching bugs like CVE-2018-0501, but we will make use of the information for better features in the following commits.
* | SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode2019-01-221-0/+6
|/ | | | | | | | | | | | | | | | | This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
* Remove `register` keywordKhem Raj2019-01-221-1/+1
| | | | | | | | | | | | | | | | | | In C++17 `register` keyword was removed. Current gcc 8.1.0 produces following warning if `-std=c++17` flag is used: warning: ISO C++17 does not allow 'register' storage class specifier [-Wregister] GCC almost completely ignores `register` keyword, with rare exception of `-O0` when additional copy from/to stack may be generated. For simplicity of the codebase it is better to just remove this problematic keyword where it is not strictly required. See: http://en.cppreference.com/w/cpp/language/storage_duration Signed-off-by: Khem Raj <raj.khem@gmail.com>
* hash32: Tighten to multiversion to x86-64 ELF and use uint32_tJulian Andres Klode2019-01-051-3/+3
|
* debListParser: Avoid native arch lookup in ParseDependsJulian Andres Klode2018-12-262-3/+4
| | | | | | | | | | | | | We called low-level ParseDepends without an architecture each time, which means each call looked up the native architecture. Store the native architecture in the class and use that when calling low-level ParseDepends from the high-level ParseDepends(). This improves performance for a cache build from 2.7 to 2.5 seconds for me. Also avoid a call when stripping multiarch, as the native architecture is passed in.
* configuration: Compare size first during lookupJulian Andres Klode2018-12-261-1/+1
|
* cache hash: Use sse4.2 CRC32c on x86-64 where availableJulian Andres Klode2018-12-261-7/+51
| | | | | | | | | | This is more than twice as fast as adler32, but could be made another 50% faster by calculating crcs for 8 byte blocks in "parallel" (without data dependency) and then combining them. But that's complicated code. Reference measurements for hashing the cache 100 times: adler32=2.46s xxhash64=0.64 xxhash32=1.12 crc32c(this)=1.10 crc32c(opt)=0.44s
* Merge branch 'pu/dpkg-path' into 'master'Julian Andres Klode2018-12-103-0/+10
|\ | | | | | | | | Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkg See merge request apt-team/apt!38
| * Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkgJulian Andres Klode2018-12-103-0/+10
| | | | | | | | | | | | | | | | | | This avoids a lot of problems from local installations of scripting languages and other stuff in /usr/local for which maintainer scripts are not prepared. [v3: Inherit PATH during tests, check overrides work] [v2: Add testing]
* | Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)Julian Andres Klode2018-12-041-0/+1
|/ | | | | | | | | This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard.
* Override FileFd copy constructor to prevent copyingJulian Andres Klode2018-12-041-0/+1
| | | | | FileFd could be copied using the default copy constructor, which does not work, and then causes code to crash.
* Merge branch 'bugfix/spaceinconfig' into 'master'Julian Andres Klode2018-12-042-2/+2
|\ | | | | | | | | Use quoted tagnames in config dumps See merge request apt-team/apt!32
| * Use quoted tagnames in config dumpsDavid Kalnischkies2018-11-292-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Tagnames in configuration can include spaces (and other nasties) e.g. in repository-specific configuration options due to Origin/Label potentially containing a space. The configuration file format supports parsing quoted as well as encoded spaces, but the output generated by apt-config and other places which might be feedback into apt via parsing (e.g. before calling apt-key in our gpgv method) do not quote and hence produce invalid configuration files. Changing the default to be an encoded tagname ensures that the output of dump can be used as a config file, but other users might not expect this so that is technically a backward-breaking change.
* | Merge branch 'remove_old_derivatives' into 'master'Julian Andres Klode2018-12-041-2/+0
|\ \ | |/ |/| | | | | Remove old derivatives See merge request apt-team/apt!31
| * Remove "Tanglu" config for Acquire::Changelogs and as vendorManuel A. Fernandez Montecelo2018-10-261-1/+0
| | | | | | | | | | This is an inactive derivative according to the census, and all the URLs which are part of tanglu.org are dead.
| * Remove "Ultimedia" config for Acquire::ChangelogsManuel A. Fernandez Montecelo2018-10-261-1/+0
| | | | | | | | | | This is an inactive derivative according to the census, and all the URLs which are part of .ultimediaos.com are dead.
* | Fix typo reported by codespell in code commentsDavid Kalnischkies2018-11-257-9/+9
| | | | | | | | | | | | | | | | No user visible change expect for some years old changelog entries, so we don't really need to add a new one for this… Reported-By: codespell Gbp-Dch: Ignore
* | Fix typos encountered while updating de translationChris Leick2018-10-301-1/+1
|/
* Merge branch 'feature/subkeys' into 'master'Julian Andres Klode2018-10-142-55/+69
|\ | | | | | | | | Support subkeys and multiple keyrings in Signed-By options See merge request apt-team/apt!27
| * Support multiple keyrings in sources.list Signed-ByDavid Kalnischkies2018-09-111-4/+7
| | | | | | | | | | | | | | A user can specify multiple fingerprints for a while now, so its seems counter-intuitive to support only one keyring, especially if this isn't really checked or enforced and while unlikely mixtures of both should work properly, too, instead of a kinda random behaviour.
| * Support subkeys properly in Signed-By optionsDavid Kalnischkies2018-09-111-51/+62
| | | | | | | | | | | | | | | | If we limit a file to be signed by a certain key it should usually accept also being signed by any of this keys subkeys instead of requiring each subkey to be listed explicitly. If the later is really wanted we support now also the same syntax as gpg does with appending an exclamation mark at the end of the fingerprint to force no mapping.
* | Default to https: scheme for fetching Debian changelogsBen Hutchings2018-10-131-1/+1
| | | | | | | | Closes: #910941
* | Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode2018-10-052-0/+6
| | | | | | | | | | | | | | | | | | Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full
* | pkgCacheFile: Only unlock in destructor if locked beforeJulian Andres Klode2018-09-242-5/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pkgCacheFile's destructor unlocks the system, which is confusing if you did not open the cachefile with WithLock set. Create a private data instance that holds the value of WithLock. This regression was introduced in commit b2e465d6d32d2dc884f58b94acb7e35f671a87fe: Join with aliencode Author: jgg Date: 2001-02-20 07:03:16 GMT Join with aliencode by replacing a "Lock" member that was only initialized when the lock was taken by calls to Lock, UnLock; with the latter also taking place if the former did not occur. Regression-Of: b2e465d6d32d2dc884f58b94acb7e35f671a87fe LP: #1794053
* | Fix calculation of elapsed usec in downloadsJulian Andres Klode2018-09-241-2/+2
| | | | | | | | | | | | A recent change to use chronos inadvertently replaced the difference of new usec - old usec with new sec - old usec, which is obviously wrong.
* | Reorder progress report messagesDavid Kalnischkies2018-09-111-9/+9
| | | | | | | | | | | | | | | | | | | | We are seeing 'processing' messages from dpkg first, so it makes sense to translate them to "Preparing" messages instead of using "Installing" and co to override these shortly after with the "Preparing" messages. The difference isn't all to visible as later messages tend to linger far longer in the display than the ealier ones, but at least in a listing it seems more logical.