summaryrefslogtreecommitdiff
path: root/apt-pkg/acquire-item.cc
diff options
context:
space:
mode:
authorJulian Andres Klode <juliank@ubuntu.com>2018-04-09 15:32:09 +0200
committerJulian Andres Klode <julian.klode@canonical.com>2019-01-18 16:32:45 +0100
commit03af77d4ca60a21f3dca1ab10ef2ba17ec2f96c9 (patch)
tree7867cfa7a2ead40aeb5f9020d0e0f1b8c56719b1 /apt-pkg/acquire-item.cc
parente4ad2101c39020f18ccd8bb522eeb6b5dead0e5d (diff)
Import Debian version 1.0.1ubuntu2.18
apt (1.0.1ubuntu2.18) trusty; urgency=medium * ExecFork: Use /proc/self/fd to determine which files to close (Closes: #764204) (LP: #1332440). apt (1.0.1ubuntu2.17) trusty-security; urgency=high * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252) Thanks to Jann Horn, Google Project Zero for reporting the issue (LP: #1647467) apt (1.0.1ubuntu2.15) trusty; urgency=medium * Fixes failure to download the Package index file when using mirror:// URL in sources.list and the archive fails to profile a file. APT would try the next archive in the list for .deb packages but did not retry when the index file failed to download. (LP: #1625667) apt (1.0.1ubuntu2.14) trusty; urgency=medium * When using the https transport mechanism, $no_proxy is ignored if apt is getting it's proxy information from $https_proxy (as opposed to Acquire::https::Proxy somewhere in apt config). If the source of proxy information is Acquire::https::Proxy set in apt.conf (or apt.conf.d), then $no_proxy is honored. This patch makes the behavior similar for both methods of setting the proxy. (LP: #1575877) apt (1.0.1ubuntu2.13) trusty; urgency=medium * Recheck Pre-Depends satisfaction in SmartConfigure, to avoid unconfigured Pre-Depends (which dpkg later fails on). Fixes upgrade failures of systemd, util-linux, and other packages with Pre-Depends. Many thanks to David Kalnischkies for figuring out the patch and Winfried PLappert for testing! Patch taken from Debian git. (LP: #1560797) apt (1.0.1ubuntu2.12) trusty; urgency=medium [ Colin Watson ] * Fix lzma write support to handle "try again" case (closes: #751688, LP: #1553770). [ David Kalnischkies ] * Handle moved mmap after UniqFindTagWrite call (closes: #753941, LP: #1445436). apt (1.0.1ubuntu2.11) trusty; urgency=medium * apt-pkg/packagemanager.cc: - fix incorrect configure ordering in the SmartConfigure step by skipping packages that do not need immediate action. (LP: #1347721, #1497688) apt (1.0.1ubuntu2.10) trusty; urgency=medium * Fix regression from the previous upload by ensuring we're actually testing for the right member before iterating on it (LP: #1480592) apt (1.0.1ubuntu2.9) trusty; urgency=medium * Fix regression in the Never-MarkAuto-Sections feature caused by the previous auto-removal fix, with inspiration drawn from the patches and conversation from http://bugs.debian.org/793360 (LP: #1479207) apt (1.0.1ubuntu2.8) trusty-proposed; urgency=low * fix crash for packages that have no section in their instVersion (LP: #1449394) apt (1.0.1ubuntu2.7) trusty-proposed; urgency=low * fix auto-removal behavior (thanks to Adam Conrad) LP: #1429041 apt (1.0.1ubuntu2.6) trusty-proposed; urgency=medium * apt-pkg/deb/dpkgpm.cc: - update string matching for dpkg I/O errors. (LP: #1363257) - properly parse the dpkg status line so that package name is properly set and an apport report is created. Thanks to Anders Kaseorg for the patch. (LP: #1353171) apt (1.0.1ubuntu2.5) trusty-security; urgency=low * SECURITY UPDATE: - cmdline/apt-get.cc: fix insecure tempfile handling in apt-get changelog (CVE-2014-7206). Thanks to Guillem Jover apt (1.0.1ubuntu2.4.1) trusty-security; urgency=low * SECURITY UPDATE: - fix potential buffer overflow, thanks to the Google Security Team (CVE-2014-6273) * Fix regression from the previous upload when file:/// sources are used and those are on a different partition than the apt state directory * Fix regression when Dir::state::lists is set to a relative path * Fix regression when cdrom: sources got rewriten by apt-cdrom add apt (1.0.1ubuntu2.3) trusty-security; urgency=low * SECURITY UPDATE: - incorrect invalidating of unauthenticated data (CVE-2014-0488) - incorect verification of 304 reply (CVE-2014-0487) - incorrect verification of Acquire::Gzip indexes (CVE-2014-0489)
Diffstat (limited to 'apt-pkg/acquire-item.cc')
-rw-r--r--apt-pkg/acquire-item.cc111
1 files changed, 82 insertions, 29 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 30743addf..4ddab943c 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -999,7 +999,7 @@ string pkgAcqIndex::Custom600Headers()
string msg = "\nIndex-File: true";
// FIXME: this really should use "IndexTarget::IsOptional()" but that
// seems to be difficult without breaking ABI
- if (ShortDesc().find("Translation") != 0)
+ if (ShortDesc().find("Translation") != std::string::npos)
msg += "\nFail-Ignore: true";
struct stat Buf;
if (stat(Final.c_str(),&Buf) == 0)
@@ -1028,6 +1028,31 @@ void pkgAcqIndex::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*{{{*/
Item::Failed(Message,Cnf);
}
/*}}}*/
+// pkgAcqIndex::GetFinalFilename - Return the full final file path /*{{{*/
+std::string pkgAcqIndex::GetFinalFilename(std::string const &URI,
+ std::string const &compExt)
+{
+ std::string FinalFile = _config->FindDir("Dir::State::lists");
+ FinalFile += URItoFileName(URI);
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
+ FinalFile += ".gz";
+ return FinalFile;
+}
+ /*}}}*/
+// AcqIndex::ReverifyAfterIMS - Reverify index after an ims-hit /*{{{*/
+void pkgAcqIndex::ReverifyAfterIMS(std::string const &FileName)
+{
+ std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' '));
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
+ DestFile += ".gz";
+
+ string FinalFile = GetFinalFilename(RealURI, compExt);
+ Rename(FinalFile, FileName);
+ Decompression = true;
+ Desc.URI = "copy:" + FileName;
+ QueueURI(Desc);
+}
+ /*}}}*/
// AcqIndex::Done - Finished a fetch /*{{{*/
// ---------------------------------------------------------------------
/* This goes through a number of states.. On the initial fetch the
@@ -1039,6 +1064,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
pkgAcquire::MethodConfig *Cfg)
{
Item::Done(Message,Size,Hash,Cfg);
+ std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' '));
if (Decompression == true)
{
@@ -1050,6 +1076,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
if (!ExpectedHash.empty() && ExpectedHash.toStr() != Hash)
{
+ Desc.URI = RealURI;
RenameOnError(HashSumMismatch);
return;
}
@@ -1058,9 +1085,9 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
* have a Package field) (LP: #346386) (Closes: #627642) */
if (Verify == true)
{
- FileFd fd(DestFile, FileFd::ReadOnly);
+ FileFd fd(DestFile, FileFd::ReadOnlyGzip);
// Only test for correctness if the file is not empty (empty is ok)
- if (fd.FileSize() > 0)
+ if (fd.Size() > 0)
{
pkgTagSection sec;
pkgTagFile tag(&fd);
@@ -1075,8 +1102,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
}
// Done, move it into position
- string FinalFile = _config->FindDir("Dir::State::lists");
- FinalFile += URItoFileName(RealURI);
+ string FinalFile = GetFinalFilename(RealURI, compExt);
Rename(DestFile,FinalFile);
chmod(FinalFile.c_str(),0644);
@@ -1084,7 +1110,9 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
will work OK */
DestFile = _config->FindDir("Dir::State::lists") + "partial/";
DestFile += URItoFileName(RealURI);
-
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
+ DestFile += ".gz";
+
// Remove the compressed version.
if (Erase == true)
unlink(DestFile.c_str());
@@ -1098,9 +1126,6 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
string FileName = LookupTag(Message,"Alt-Filename");
if (FileName.empty() == false)
{
- // The files timestamp matches
- if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true)
- return;
Decompression = true;
Local = true;
DestFile += ".decomp";
@@ -1117,33 +1142,36 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
ErrorText = "Method gave a blank filename";
}
- std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' '));
-
- // The files timestamp matches
- if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) {
- if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
- // Update DestFile for .gz suffix so that the clean operation keeps it
- DestFile += ".gz";
- return;
- }
-
if (FileName == DestFile)
Erase = true;
else
Local = true;
-
+
+ // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
+ // file when its doing the indexcopy
+ if (RealURI.substr(0,6) == "cdrom:" &&
+ StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+ return;
+
+ // The files timestamp matches
+ if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+ {
+ ReverifyAfterIMS(FileName);
+ return;
+ }
+
string decompProg;
- // If we enable compressed indexes and already have gzip, keep it
- if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz" && !Local) {
- string FinalFile = _config->FindDir("Dir::State::lists");
- FinalFile += URItoFileName(RealURI) + ".gz";
- Rename(DestFile,FinalFile);
- chmod(FinalFile.c_str(),0644);
-
- // Update DestFile for .gz suffix so that the clean operation keeps it
- DestFile = _config->FindDir("Dir::State::lists") + "partial/";
+ // If we enable compressed indexes, queue for hash verification
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz" && !Local)
+ {
+ DestFile = _config->FindDir("Dir::State::lists");
DestFile += URItoFileName(RealURI) + ".gz";
+
+ Decompression = true;
+ Desc.URI = "copy:" + FileName;
+ QueueURI(Desc);
+
return;
}
@@ -1187,6 +1215,9 @@ string pkgAcqIndexTrans::Custom600Headers()
string Final = _config->FindDir("Dir::State::lists");
Final += URItoFileName(RealURI);
+ if (_config->FindB("Acquire::GzipIndexes",false))
+ Final += ".gz";
+
struct stat Buf;
if (stat(Final.c_str(),&Buf) != 0)
return "\nFail-Ignore: true\nIndex-File: true";
@@ -1516,6 +1547,28 @@ void pkgAcqMetaIndex::AuthDone(string Message) /*{{{*/
std::cerr << "Signature verification succeeded: "
<< DestFile << std::endl;
+ // do not trust any previously unverified content that we may have
+ string LastGoodSigFile = _config->FindDir("Dir::State::lists").append("partial/").append(URItoFileName(RealURI));
+ if (DestFile != SigFile)
+ LastGoodSigFile.append(".gpg");
+ LastGoodSigFile.append(".reverify");
+ if(IMSHit == false && RealFileExists(LastGoodSigFile) == false)
+ {
+ for (vector <struct IndexTarget*>::const_iterator Target = IndexTargets->begin();
+ Target != IndexTargets->end();
+ ++Target)
+ {
+ // remove old indexes
+ std::string index = _config->FindDir("Dir::State::lists") +
+ URItoFileName((*Target)->URI);
+ unlink(index.c_str());
+ // and also old gzipindexes
+ index += ".gz";
+ unlink(index.c_str());
+ }
+ }
+
+
// Download further indexes with verification
QueueIndexes(true);