summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-02-05Add a Packages-Require-Authorization Release file fieldJulian Andres Klode
This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource. (cherry picked from commit c2b9b0489538fed4770515bd8853a960b13a2618) LP: #1814727 (cherry picked from commit d75162bc67d5a1a690eb2a8747d31ad68353823e)
2019-02-05Introduce experimental 'never' pinning for sourcesJulian Andres Klode
This allows disabling a repository by pinning it to 'never', which is internally translated to a value of -32768 (or whatever the minimum of short is). This overrides any other pin for that repository. It can be used to make sure certain sources are never used; for example, in unattended-upgrades. To prevent semantic changes to existing files, we substitute min + 1 for every pin-priority: <min>. This is a temporary solution, as we are waiting for an ABI break. To add pins with that value, the special Pin-Priority "never" may be used for now. It's unclear if that will persist, or if the interface will change eventually. (cherry picked from commit 8bb2a91a070170d7d8e71206d1c66a26809bdbc3) LP: #1814727 (cherry picked from commit f52e7a2040f461fb37f88751f5a42a5d5c130441)
2019-02-05private-json-hooks.cc: deal with EPIPEMichael Vogt
While running our CI we noticed that sometimes we see an error from the new json hooks code. The error message is: ``` E: Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true: Broken pipe ``` when purging the snapd package which provides the hook. This indicates that we should probably also consider EPIPE not an error (just like we do for ECONNRESET). This PR does exactly this. (cherry picked from commit 6af48a7f83540c807be1d2777470d23e6b260eb8) LP: #1814543 (cherry picked from commit 97412ac47a974b1eb0e8280cf11b3b80ff1ba17f)
2019-01-25Release 1.6.81.6.8Julian Andres Klode
2019-01-25SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
2019-01-14Release 1.6.71.6.7Julian Andres Klode
2019-01-14Merge translations from 1.8 seriesJulian Andres Klode
2019-01-14Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)Julian Andres Klode
This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard. (cherry picked from commit bbfcc05c1978decd28df9681fd73e2a7d9a8c2a5) LP: #1811120 (cherry picked from commit 5629f35ecb7956b180364ebaf57e79f35885344e)
2019-01-09NeverAutoRemove kernel meta packagesJulian Andres Klode
This gives more protection for people where kernel metapackages are accidentally removed. LP: #1787460 (cherry picked from commit a4b0ce5a4f5068f780b3aa94473230b5093a837d) (cherry picked from commit 890f21e846025701f4596a69399f798219357c76)
2019-01-09Merge branch 'l10n-1.6' into '1.6.y'Julian Andres Klode
[l10n] Update Italian translation See merge request apt-team/apt!36
2019-01-09[l10n] Update Italian translationMilo Casagrande
Signed-off-by: Milo Casagrande <milo@milo.name>
2018-10-09release 1.6.61.6.6Julian Andres Klode
2018-10-09Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode
Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full (cherry picked from commit 6675601c81de85b40dc89772c1d6d17f1811c5ba) LP: #1796808
2018-09-28Release 1.6.51.6.5Julian Andres Klode
2018-09-28Update libapt-pkg5.0 symbols for frontend lockingJulian Andres Klode
2018-09-28pkgCacheFile: Only unlock in destructor if locked beforeJulian Andres Klode
pkgCacheFile's destructor unlocks the system, which is confusing if you did not open the cachefile with WithLock set. Create a private data instance that holds the value of WithLock. This regression was introduced in commit b2e465d6d32d2dc884f58b94acb7e35f671a87fe: Join with aliencode Author: jgg Date: 2001-02-20 07:03:16 GMT Join with aliencode by replacing a "Lock" member that was only initialized when the lock was taken by calls to Lock, UnLock; with the latter also taking place if the former did not occur. Regression-Of: b2e465d6d32d2dc884f58b94acb7e35f671a87fe LP: #1794053 (cherry picked from commit e02297b8e22dae04872fe6fab6dba966de65dbba)
2018-09-28http: Stop pipeline after close only if it was not filled beforeJulian Andres Klode
It is perfectly valid behavior for a server to respond with Connection: close eventually, even when pipelining. Turning off pipelining due to that is wrong. For example, some Ubuntu mirrors close the connection after 101 requests. If I have more packages to install, only the first 101 would benefit from pipelining. This commit introduces a new check to only turn of pipelining for future connections if the pipeline for this connection did not have 3 successful fetches before, that should work quite well to detect broken server/proxy combinations like in bug 832113. (cherry picked from commit df696650b7a8c58bbd92e0e1619e956f21010a96) LP: #1794957
2018-09-28Set DPKG_FRONTEND_LOCKED as needed when doing selection changesJulian Andres Klode
We forgot to set the variable for the selection changes. Let's set it for that and some other dpkg calls. Regression-Of: c2c8b4787b0882234ba2772ec7513afbf97b563a (cherry picked from commit 55489885b51b02b7f74e601a393ecaefd1f71f9c)
2018-09-28Add support for dpkg frontend lockJulian Andres Klode
The dpkg frontend lock is a lock dpkg tries to acquire except if the frontend already acquires it. This fixes a race condition in the install command where the dpkg lock is not held for a short period of time between different dpkg invocations. For this reason we also define an environment variable DPKG_FRONTEND_LOCKED for dpkg invocations so dpkg knows not to try to acquire the frontend lock because it's held by a parent process. We can set DPKG_FRONTEND_LOCKED only if the frontend lock really is held; that is, if our lock count is greater than 0 - otherwise an apt client not using the LockInner family of functions would run dpkg without the frontend lock set, but with DPKG_FRONTEND_LOCKED set. Such a process has a weaker guarantee: Because dpkg would not lock the frontend lock either, the process is prone to the existing races, and, more importantly, so is a new style process. Closes: #869546 [fixups: fix error messages, add public IsLocked() method, and make {Un,}LockInner return an error on !debSystem] (cherry picked from commit c2c8b4787b0882234ba2772ec7513afbf97b563a) LP: #1781169
2018-08-20Support records larger than 32kb in 'apt show'David Kalnischkies
The default buffer size for pkgTagFile is 32kb which should be big enough for everything… expect for enormous lists of provides, resulting in: $ apt show librust-winapi-dev E: Unable to parse package file /var/lib/apt/lists/ftp.br.debian.org_debian_dists_unstable_main_binary-amd64_Packages (2) E: Internal Error, Unable to parse a package record The "apt-cache show" codepath uses instead a max size for all files, which seems a bit excessive, but works – using the max size for the file in question seems most appropriate. The patch is written for the 1.6.y series as a rewrite of the related code in the 1.7.y series (commit bf53f39c9a0221b670ffff74053ed36fc502d5a0) removed this problem before it was reported. Closes: #905527 LP: #1787120
2018-08-20Release 1.6.41.6.4Julian Andres Klode
2018-08-20Revert "Release 1.6.3ubuntu0.1"Julian Andres Klode
This reverts commit ed94a024e14e0fdbd9ea6cabd07063da441bcc02.
2018-08-20Release 1.6.3ubuntu0.11.6.3ubuntu0.1Julian Andres Klode
2018-08-20clear alternative URIs for mirror:// between steps (CVE-2018-0501)David Kalnischkies
APT in 1.6 saw me rewriting the mirror:// transport method, which works comparable to the decommissioned httpredir.d.o "just" that apt requests a mirror list and performs all the redirections internally with all the bells like parallel download and automatic fallback (more details in the apt-transport-mirror manpage included in the 1.6 release). The automatic fallback is the problem here: The intend is that if a file fails to be downloaded (e.g. because the mirror is offline, broken, out-of-sync, …) instead of erroring out the next mirror in the list is contacted for a retry of the download. Internally the acquire process of an InRelease file (works with the Release/Release.gpg pair, too) happens in steps: 1) download file and 2) verify file, both handled as URL requests passed around. Due to an oversight the fallbacks for the first step are still active for the second step, so that the successful download from another mirror stands in for the failed verification… *facepalm* Note that the attacker can not judge by the request arriving for the InRelease file if the user is using the mirror method or not. If entire traffic is observed Eve might be able to observe the request for a mirror list, but that might or might not be telling if following requests for InRelease files will be based on that list or for another sources.list entry not using mirror (Users have also the option to have the mirror list locally (via e.g. mirror+file://) instead of on a remote host). If the user isn't using mirror:// for this InRelease file apt will fail very visibly as intended. (The mirror list needs to include at least two mirrors and to work reliably the attacker needs to be able to MITM all mirrors in the list. For remotely accessed mirror lists this is no limitation as the attacker is in full control of the file in that case) Fixed by clearing the alternatives after a step completes (and moving a pimpl class further to the top to make that valid compilable code). mirror:// is at the moment the only method using this code infrastructure (for all others this set is already empty) and the only method-independent user so far is the download of deb files, but those are downloaded and verified in a single step; so there shouldn't be much opportunity for regression here even through a central code area is changed. Upgrade instructions: Given all apt-based frontends are affected, even additional restrictions like signed-by are bypassed and the attack in progress is hardly visible in the progress reporting of an update operation (the InRelease file is marked "Ign", but no fallback to "Release/Release.gpg" is happening) and leaves no trace (expect files downloaded from the attackers repository of course) the best course of action might be to change the sources.list to not use the mirror family of transports ({tor+,…}mirror{,+{http{,s},file,…}}) until a fixed version of the src:apt packages are installed. Regression-Of: 355e1aceac1dd05c4c7daf3420b09bd860fd169d, 57fa854e4cdb060e87ca265abd5a83364f9fa681 LP: #1787752
2018-07-09Release 1.6.31.6.3Julian Andres Klode
2018-07-09Handle JSON hooks that just close the file/exit and fix some other errorsJulian Andres Klode
JSON hooks might disappear and the common idiom to work around hooks disappearing is to check for the hook in the shell snippet that is in the apt.conf file and if it does not exist, do nothing. This caused APT to fail however, expecting it to acknowledge the handshake. Ignoring ECONNRESET on handshakes solves the problem. The error case, and the other error cases also did not stop execution of the hook, causing more errors to pile up. Fix this by directly going to the closing part of the code. LP: #1776218 (cherry picked from commit 1d53cffad22c92645090e0e6ddde31fe4f7c3b05)
2018-06-25Release 1.6.21.6.2Julian Andres Klode
2018-06-25gitlab-ci: chmod 755 /rootJulian Andres Klode
This should avoid test failures on ubuntu:bionic (cherry picked from commit 3a37521aec0b02e12deaef58772ae0bca9a75496)
2018-06-25gitlab-ci.yml: Also pull in ninja-build for 1.6.yJulian Andres Klode
We don't use ninja to build the package in 1.6.y, so we need to pull it in manually.
2018-06-25CI: Export DEBIAN_FRONTEND=noninteractive in all CI environmentsJulian Andres Klode
This ensures that we don't hang waiting for debconf. (cherry picked from commit 551ded4b63f6f47f022c5ca841031fc2566a58ff)
2018-06-25Fix lock counting in debSystemJulian Andres Klode
debSystem uses a reference counted lock, so you can acquire it multiple times in your applications, possibly nested. Nesting locks causes a fd leak, though, as we only increment the lock count when we already have locked twice, rather than once, and hence when we call lock the second time, instead of increasing the lock count, we open another lock fd. This fixes the code to check if we have locked at all (> 0). There is no practical problem here aside from the fd leak, as closing the new fd releases the lock on the old one due to the weird semantics of fcntl locks. (cherry picked from commit 79f012bd09ae99d4c9d63dc0ac960376b5338b32)
2018-06-25apt-key: Pass all instead of gpg-agent to gpgconf --killJulian Andres Klode
We want to kill everything using our temporary directory. LP: #1773992 (cherry picked from commit 819426013c6ca6310bb469440702b6295dba4498)
2018-06-25gitlab-ci: Run on ubuntu:bionic for 1.6.yJulian Andres Klode
Gbp-Dch: ignore
2018-06-25Lower default timeout from 120s to 30sJulian Andres Klode
120s is an insanely high default time out, lower it to 30s to make things a bit nicer. (cherry picked from commit 329a4a6159f1972ff5ec7bc2db26430f26dc61f3)
2018-06-25Handle a missed case of timed out ip addressesJulian Andres Klode
Correctly register timed out IP addresses from a timed out select() call as a bad address so we do not try it again. LP: #1766542 (cherry picked from commit 71b65b3563d223f6cd69261918ec06d10da48e6c)
2018-06-25Fix hidden test failure if not called via sudoDavid Kalnischkies
id: '': no such user ./test-bug-611729-mark-as-manual: 59: [: Illegal number: Regression-of: 68842e1741a5005b1e3f0a07deffd737c65e3294 Gbp-Dch: Ignore (cherry picked from commit ea901a491bcfe406267c7c38c227c5caabf017a0)
2018-06-25Run tests on GitLab CIJulian Andres Klode
Salsa has support for GitLab CI. This introduces a test setup for it, derived from the ones for shippable and travis. It is not optimal yet: The build is run in the test stage. Fixing this requires us to separate test from build dependencies, and storing build/ as an artifact of the build stage; since build and test stage run on different runners with fresh checkouts and images. (cherry picked from commit 8cc38267809a15ec9819bce721e52fcd90a523b9)
2018-06-25tests: Do not expect requested-by if sudo was invoked by rootJulian Andres Klode
If sudo was invoked by root, SUDO_UID will be 0, and apt will not print a Requested-By line. (cherry picked from commit 68842e1741a5005b1e3f0a07deffd737c65e3294)
2018-06-25Fix build with new gtestJulian Andres Klode
Still allow the older one to be used. Closes: #897149 (cherry picked from commit 39d9e217a22901892647499ee695ba472a111d25)
2018-04-20Release 1.6.11.6.1Julian Andres Klode
2018-04-20apt.conf.autoremove: Catch some new Ubuntu module packagesJulian Andres Klode
2018-04-20CMake: Fix builds without zstdJulian Andres Klode
Only use zstd defined variables if zstd was found.
2018-04-18Release 1.61.6Julian Andres Klode
2018-04-18Point debian-branch to 1.6.yJulian Andres Klode
2018-04-18Make libzstd optional in CMakeLists.txt, to aid cross-buildingJulian Andres Klode
This makes cross-building a bit easier, and also porting to other platforms. (cherry picked from commit 7d6994799f6782ba5e024ad0861e036d93e5f447)
2018-04-15Release 1.6~rc11.6_rc1Julian Andres Klode
2018-04-15French man pages translationjean-pierre giraud
[jak: Fix invalid empty line] Closes: #895117
2018-04-15Revert "mention mirror method in sources.list"Julian Andres Klode
This reverts commit 57a00c50b14a49ed91816e3f4467e0f2e57ee772.
2018-04-15Merge branch 'pu/heavy-hooks' into 'master'Julian Andres Klode
json-based hooks for apt cli tools See merge request apt-team/apt!10
2018-04-15Introduce experimental new hooks for command-line toolsJulian Andres Klode
This allows third-party package managers like snap or flatpak to hook in and suggest alternatives if packages could not be found, for example. This is still highly experimental and the protocol might change in future versions.