Age | Commit message (Collapse) | Author |
|
The dpkg frontend lock is a lock dpkg tries to acquire
except if the frontend already acquires it.
This fixes a race condition in the install command where the
dpkg lock is not held for a short period of time between
different dpkg invocations.
For this reason we also define an environment variable
DPKG_FRONTEND_LOCKED for dpkg invocations so dpkg knows
not to try to acquire the frontend lock because it's held
by a parent process.
We can set DPKG_FRONTEND_LOCKED only if the frontend lock
really is held; that is, if our lock count is greater than 0
- otherwise an apt client not using the LockInner family of
functions would run dpkg without the frontend lock set, but
with DPKG_FRONTEND_LOCKED set. Such a process has a weaker
guarantee: Because dpkg would not lock the frontend lock
either, the process is prone to the existing races, and,
more importantly, so is a new style process.
Closes: #869546
[fixups: fix error messages, add public IsLocked() method, and
make {Un,}LockInner return an error on !debSystem]
(cherry picked from commit c2c8b4787b0882234ba2772ec7513afbf97b563a)
LP: #1781169
|
|
The default buffer size for pkgTagFile is 32kb which should be big
enough for everything… expect for enormous lists of provides,
resulting in:
$ apt show librust-winapi-dev
E: Unable to parse package file /var/lib/apt/lists/ftp.br.debian.org_debian_dists_unstable_main_binary-amd64_Packages (2)
E: Internal Error, Unable to parse a package record
The "apt-cache show" codepath uses instead a max size for all files,
which seems a bit excessive, but works – using the max size for the file
in question seems most appropriate.
The patch is written for the 1.6.y series as a rewrite of the related
code in the 1.7.y series (commit bf53f39c9a0221b670ffff74053ed36fc502d5a0)
removed this problem before it was reported.
Closes: #905527
LP: #1787120
|
|
|
|
This reverts commit ed94a024e14e0fdbd9ea6cabd07063da441bcc02.
|
|
|
|
APT in 1.6 saw me rewriting the mirror:// transport method, which works
comparable to the decommissioned httpredir.d.o "just" that apt requests
a mirror list and performs all the redirections internally with all the
bells like parallel download and automatic fallback (more details in the
apt-transport-mirror manpage included in the 1.6 release).
The automatic fallback is the problem here: The intend is that if a file
fails to be downloaded (e.g. because the mirror is offline, broken,
out-of-sync, …) instead of erroring out the next mirror in the list is
contacted for a retry of the download.
Internally the acquire process of an InRelease file (works with the
Release/Release.gpg pair, too) happens in steps: 1) download file and 2)
verify file, both handled as URL requests passed around. Due to an
oversight the fallbacks for the first step are still active for the
second step, so that the successful download from another mirror stands
in for the failed verification… *facepalm*
Note that the attacker can not judge by the request arriving for the
InRelease file if the user is using the mirror method or not. If entire
traffic is observed Eve might be able to observe the request for
a mirror list, but that might or might not be telling if following
requests for InRelease files will be based on that list or for another
sources.list entry not using mirror (Users have also the option to have
the mirror list locally (via e.g. mirror+file://) instead of on a remote
host). If the user isn't using mirror:// for this InRelease file apt
will fail very visibly as intended.
(The mirror list needs to include at least two mirrors and to work
reliably the attacker needs to be able to MITM all mirrors in the list.
For remotely accessed mirror lists this is no limitation as the attacker
is in full control of the file in that case)
Fixed by clearing the alternatives after a step completes (and moving a pimpl
class further to the top to make that valid compilable code). mirror://
is at the moment the only method using this code infrastructure (for all
others this set is already empty) and the only method-independent user
so far is the download of deb files, but those are downloaded and
verified in a single step; so there shouldn't be much opportunity for
regression here even through a central code area is changed.
Upgrade instructions: Given all apt-based frontends are affected, even
additional restrictions like signed-by are bypassed and the attack in
progress is hardly visible in the progress reporting of an update
operation (the InRelease file is marked "Ign", but no fallback to
"Release/Release.gpg" is happening) and leaves no trace (expect files
downloaded from the attackers repository of course) the best course of
action might be to change the sources.list to not use the mirror family
of transports ({tor+,…}mirror{,+{http{,s},file,…}}) until a fixed
version of the src:apt packages are installed.
Regression-Of: 355e1aceac1dd05c4c7daf3420b09bd860fd169d,
57fa854e4cdb060e87ca265abd5a83364f9fa681
LP: #1787752
|
|
|
|
JSON hooks might disappear and the common idiom to work around hooks
disappearing is to check for the hook in the shell snippet that is
in the apt.conf file and if it does not exist, do nothing. This caused
APT to fail however, expecting it to acknowledge the handshake.
Ignoring ECONNRESET on handshakes solves the problem.
The error case, and the other error cases also did not stop execution
of the hook, causing more errors to pile up. Fix this by directly going
to the closing part of the code.
LP: #1776218
(cherry picked from commit 1d53cffad22c92645090e0e6ddde31fe4f7c3b05)
|
|
|
|
This should avoid test failures on ubuntu:bionic
(cherry picked from commit 3a37521aec0b02e12deaef58772ae0bca9a75496)
|
|
We don't use ninja to build the package in 1.6.y, so we need
to pull it in manually.
|
|
This ensures that we don't hang waiting for debconf.
(cherry picked from commit 551ded4b63f6f47f022c5ca841031fc2566a58ff)
|
|
debSystem uses a reference counted lock, so you can acquire it
multiple times in your applications, possibly nested. Nesting
locks causes a fd leak, though, as we only increment the lock
count when we already have locked twice, rather than once, and
hence when we call lock the second time, instead of increasing
the lock count, we open another lock fd.
This fixes the code to check if we have locked at all (> 0).
There is no practical problem here aside from the fd leak, as
closing the new fd releases the lock on the old one due to the
weird semantics of fcntl locks.
(cherry picked from commit 79f012bd09ae99d4c9d63dc0ac960376b5338b32)
|
|
We want to kill everything using our temporary directory.
LP: #1773992
(cherry picked from commit 819426013c6ca6310bb469440702b6295dba4498)
|
|
Gbp-Dch: ignore
|
|
120s is an insanely high default time out, lower it to 30s
to make things a bit nicer.
(cherry picked from commit 329a4a6159f1972ff5ec7bc2db26430f26dc61f3)
|
|
Correctly register timed out IP addresses from a timed out
select() call as a bad address so we do not try it again.
LP: #1766542
(cherry picked from commit 71b65b3563d223f6cd69261918ec06d10da48e6c)
|
|
id: '': no such user
./test-bug-611729-mark-as-manual: 59: [: Illegal number:
Regression-of: 68842e1741a5005b1e3f0a07deffd737c65e3294
Gbp-Dch: Ignore
(cherry picked from commit ea901a491bcfe406267c7c38c227c5caabf017a0)
|
|
Salsa has support for GitLab CI. This introduces a test setup
for it, derived from the ones for shippable and travis. It is
not optimal yet: The build is run in the test stage. Fixing this
requires us to separate test from build dependencies, and storing
build/ as an artifact of the build stage; since build and test
stage run on different runners with fresh checkouts and images.
(cherry picked from commit 8cc38267809a15ec9819bce721e52fcd90a523b9)
|
|
If sudo was invoked by root, SUDO_UID will be 0, and apt
will not print a Requested-By line.
(cherry picked from commit 68842e1741a5005b1e3f0a07deffd737c65e3294)
|
|
Still allow the older one to be used.
Closes: #897149
(cherry picked from commit 39d9e217a22901892647499ee695ba472a111d25)
|
|
|
|
|
|
Only use zstd defined variables if zstd was found.
|
|
|
|
|
|
This makes cross-building a bit easier, and also porting to
other platforms.
(cherry picked from commit 7d6994799f6782ba5e024ad0861e036d93e5f447)
|
|
|
|
[jak: Fix invalid empty line]
Closes: #895117
|
|
This reverts commit 57a00c50b14a49ed91816e3f4467e0f2e57ee772.
|
|
json-based hooks for apt cli tools
See merge request apt-team/apt!10
|
|
This allows third-party package managers like snap or flatpak
to hook in and suggest alternatives if packages could not be
found, for example.
This is still highly experimental and the protocol might change
in future versions.
|
|
pu/zstd
See merge request apt-team/apt!8
|
|
This implements support for multi frame files while keeping
error checking for unexpected EOF working correctly. Files
with multiple frames are generated by pzstd, for example.
|
|
This is a simplified variant of the code for xz, adapted to support
multiple digit integers.
|
|
Collecting the packages we could not find allows us to pass them
to other places.
|
|
Reported-By: Mattia Rizzolo on IRC
|
|
Closes: 679580
|
|
The override file already implements this, so we just adapt to reality.
Reported-By: lintian excessive-priority-for-library-package
|
|
Reported-By: lintian spelling-error-in-manpage
|
|
At least it tries a little harder.
Gbp-Dch: Ignore
|
|
Whatever caused it, lets fix it.
|
|
|
|
Fixes test suite on Ubuntu docker images.
|
|
Closes: #891644
|
|
LP: #1732030
Closes: #890489
Fixes meefik/linuxdeploy#869
|
|
1.6.y is bionic's release series, it should be tested in it.
|
|
Shipping 1.6 with major 12 would not allow us to update 1.5.y
in a different way than 1.6.y if we have to without resorting
to minor version hacks. Let's just bump the major instead.
|
|
We just enabled https on changelogs.ubuntu.com, let's use it.
|
|
|