diff options
author | Julian Andres Klode <juliank@ubuntu.com> | 2018-04-09 15:32:09 +0200 |
---|---|---|
committer | Julian Andres Klode <julian.klode@canonical.com> | 2019-01-18 16:32:45 +0100 |
commit | 03af77d4ca60a21f3dca1ab10ef2ba17ec2f96c9 (patch) | |
tree | 7867cfa7a2ead40aeb5f9020d0e0f1b8c56719b1 /apt-pkg/contrib | |
parent | e4ad2101c39020f18ccd8bb522eeb6b5dead0e5d (diff) |
Import Debian version 1.0.1ubuntu2.18
apt (1.0.1ubuntu2.18) trusty; urgency=medium
* ExecFork: Use /proc/self/fd to determine which files to close
(Closes: #764204) (LP: #1332440).
apt (1.0.1ubuntu2.17) trusty-security; urgency=high
* SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
Thanks to Jann Horn, Google Project Zero for reporting the issue
(LP: #1647467)
apt (1.0.1ubuntu2.15) trusty; urgency=medium
* Fixes failure to download the Package index file when using
mirror:// URL in sources.list and the archive fails to profile
a file. APT would try the next archive in the list for .deb
packages but did not retry when the index file failed to download.
(LP: #1625667)
apt (1.0.1ubuntu2.14) trusty; urgency=medium
* When using the https transport mechanism, $no_proxy is ignored if apt is
getting it's proxy information from $https_proxy (as opposed to
Acquire::https::Proxy somewhere in apt config). If the source of proxy
information is Acquire::https::Proxy set in apt.conf (or apt.conf.d),
then $no_proxy is honored. This patch makes the behavior similar for
both methods of setting the proxy. (LP: #1575877)
apt (1.0.1ubuntu2.13) trusty; urgency=medium
* Recheck Pre-Depends satisfaction in SmartConfigure, to avoid unconfigured
Pre-Depends (which dpkg later fails on). Fixes upgrade failures of
systemd, util-linux, and other packages with Pre-Depends. Many thanks to
David Kalnischkies for figuring out the patch and Winfried PLappert for
testing! Patch taken from Debian git. (LP: #1560797)
apt (1.0.1ubuntu2.12) trusty; urgency=medium
[ Colin Watson ]
* Fix lzma write support to handle "try again" case (closes: #751688,
LP: #1553770).
[ David Kalnischkies ]
* Handle moved mmap after UniqFindTagWrite call (closes: #753941,
LP: #1445436).
apt (1.0.1ubuntu2.11) trusty; urgency=medium
* apt-pkg/packagemanager.cc:
- fix incorrect configure ordering in the SmartConfigure step by skipping
packages that do not need immediate action. (LP: #1347721, #1497688)
apt (1.0.1ubuntu2.10) trusty; urgency=medium
* Fix regression from the previous upload by ensuring we're actually
testing for the right member before iterating on it (LP: #1480592)
apt (1.0.1ubuntu2.9) trusty; urgency=medium
* Fix regression in the Never-MarkAuto-Sections feature caused by the
previous auto-removal fix, with inspiration drawn from the patches
and conversation from http://bugs.debian.org/793360 (LP: #1479207)
apt (1.0.1ubuntu2.8) trusty-proposed; urgency=low
* fix crash for packages that have no section in their instVersion
(LP: #1449394)
apt (1.0.1ubuntu2.7) trusty-proposed; urgency=low
* fix auto-removal behavior (thanks to Adam Conrad)
LP: #1429041
apt (1.0.1ubuntu2.6) trusty-proposed; urgency=medium
* apt-pkg/deb/dpkgpm.cc:
- update string matching for dpkg I/O errors. (LP: #1363257)
- properly parse the dpkg status line so that package name is properly set
and an apport report is created. Thanks to Anders Kaseorg for the patch.
(LP: #1353171)
apt (1.0.1ubuntu2.5) trusty-security; urgency=low
* SECURITY UPDATE:
- cmdline/apt-get.cc: fix insecure tempfile handling in
apt-get changelog (CVE-2014-7206). Thanks to Guillem Jover
apt (1.0.1ubuntu2.4.1) trusty-security; urgency=low
* SECURITY UPDATE:
- fix potential buffer overflow, thanks to the
Google Security Team (CVE-2014-6273)
* Fix regression from the previous upload when file:/// sources
are used and those are on a different partition than
the apt state directory
* Fix regression when Dir::state::lists is set to a relative path
* Fix regression when cdrom: sources got rewriten by apt-cdrom add
apt (1.0.1ubuntu2.3) trusty-security; urgency=low
* SECURITY UPDATE:
- incorrect invalidating of unauthenticated data (CVE-2014-0488)
- incorect verification of 304 reply (CVE-2014-0487)
- incorrect verification of Acquire::Gzip indexes (CVE-2014-0489)
Diffstat (limited to 'apt-pkg/contrib')
-rw-r--r-- | apt-pkg/contrib/fileutl.cc | 43 | ||||
-rw-r--r-- | apt-pkg/contrib/gpgv.cc | 23 | ||||
-rw-r--r-- | apt-pkg/contrib/hashes.cc | 2 | ||||
-rw-r--r-- | apt-pkg/contrib/hashes.h | 2 |
4 files changed, 60 insertions, 10 deletions
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 69a675648..3d4276f34 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -781,11 +781,26 @@ pid_t ExecFork(std::set<int> KeepFDs) signal(SIGCONT,SIG_DFL); signal(SIGTSTP,SIG_DFL); - // Close all of our FDs - just in case - for (int K = 3; K != sysconf(_SC_OPEN_MAX); K++) + DIR *dir = opendir("/proc/self/fd"); + if (dir != NULL) { - if(KeepFDs.find(K) == KeepFDs.end()) - fcntl(K,F_SETFD,FD_CLOEXEC); + struct dirent *ent; + while ((ent = readdir(dir))) + { + int fd = atoi(ent->d_name); + // If fd > 0, it was a fd number and not . or .. + if (fd >= 3 && KeepFDs.find(fd) == KeepFDs.end()) + fcntl(fd,F_SETFD,FD_CLOEXEC); + } + closedir(dir); + } else { + long ScOpenMax = sysconf(_SC_OPEN_MAX); + // Close all of our FDs - just in case + for (int K = 3; K != ScOpenMax; K++) + { + if(KeepFDs.find(K) == KeepFDs.end()) + fcntl(K,F_SETFD,FD_CLOEXEC); + } } } @@ -1574,18 +1589,34 @@ bool FileFd::Write(const void *From,unsigned long long Size) size_t const n = sizeof(d->lzma->buffer)/sizeof(d->lzma->buffer[0]) - d->lzma->stream.avail_out; size_t const m = (n == 0) ? 0 : fwrite(d->lzma->buffer, 1, n, d->lzma->file); if (m != n) + { Res = -1; + errno = 0; + } else + { Res = Size - d->lzma->stream.avail_in; + if (Res == 0) + { + // lzma run was okay, but produced no output… + Res = -1; + errno = EINTR; + } + } } #endif else Res = write(iFd,From,Size); - if (Res < 0 && errno == EINTR) - continue; if (Res < 0) { + if (errno == EINTR) + { + // trick the while-loop into running again + Res = 1; + errno = 0; + continue; + } if (false) /* dummy so that the rest can be 'else if's */; #ifdef HAVE_ZLIB diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc index f24dd9640..0d74050cb 100644 --- a/apt-pkg/contrib/gpgv.cc +++ b/apt-pkg/contrib/gpgv.cc @@ -247,6 +247,20 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG, } /*}}}*/ // SplitClearSignedFile - split message into data/signature /*{{{*/ +static int GetLineErrno(char **lineptr, size_t *n, FILE *stream, std::string const &InFile) +{ + int result; + + errno = 0; + result = getline(lineptr, n, stream); + if (errno != 0) + { + _error->Errno("getline", "Could not read from %s", InFile.c_str()); + return -1; + } + + return result; +} bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile, std::vector<std::string> * const ContentHeader, FileFd * const SignatureFile) { @@ -262,7 +276,8 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile, char *buf = NULL; size_t buf_size = 0; - while (getline(&buf, &buf_size, in) != -1) + _error->PushToStack(); + while (GetLineErrno(&buf, &buf_size, in, InFile) != -1) { _strrstrip(buf); if (found_message_start == false) @@ -324,6 +339,12 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile, } fclose(in); + // An error occured during reading - propagate it up + bool const hasErrored = _error->PendingError(); + _error->MergeWithStack(); + if (hasErrored) + return false; + if (found_signature == true) return _error->Error("Signature in file %s wasn't closed", InFile.c_str()); diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc index 15f83615d..1fce0d75f 100644 --- a/apt-pkg/contrib/hashes.cc +++ b/apt-pkg/contrib/hashes.cc @@ -133,7 +133,7 @@ bool Hashes::AddFD(int const Fd,unsigned long long Size, bool const addMD5, bool const addSHA1, bool const addSHA256, bool const addSHA512) { unsigned char Buf[64*64]; - bool const ToEOF = (Size == UntilEOF); + bool const ToEOF = (Size == 0); while (Size != 0 || ToEOF) { unsigned long long n = sizeof(Buf); diff --git a/apt-pkg/contrib/hashes.h b/apt-pkg/contrib/hashes.h index 7a62f8a8f..5cd1af03b 100644 --- a/apt-pkg/contrib/hashes.h +++ b/apt-pkg/contrib/hashes.h @@ -78,8 +78,6 @@ class Hashes SHA256Summation SHA256; SHA512Summation SHA512; - static const int UntilEOF = 0; - inline bool Add(const unsigned char *Data,unsigned long long Size) { return MD5.Add(Data,Size) && SHA1.Add(Data,Size) && SHA256.Add(Data,Size) && SHA512.Add(Data,Size); |