summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-01-25SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
2018-10-09release 1.2.291.2.29Julian Andres Klode
2018-10-09Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode
Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full (cherry picked from commit 6675601c81de85b40dc89772c1d6d17f1811c5ba) LP: #1796808 (cherry picked from commit 0ce6bc5ec70ff84eb2829f91f286a93687e77a46)
2018-09-28Release 1.2.281.2.28Julian Andres Klode
2018-09-28Update libapt-pkg5.0 symbols for frontend lockingJulian Andres Klode
(cherry picked from commit 2e7af714deea25fe9c85b491814862301d01816b)
2018-09-28pkgCacheFile: Only unlock in destructor if locked beforeJulian Andres Klode
pkgCacheFile's destructor unlocks the system, which is confusing if you did not open the cachefile with WithLock set. Create a private data instance that holds the value of WithLock. This regression was introduced in commit b2e465d6d32d2dc884f58b94acb7e35f671a87fe: Join with aliencode Author: jgg Date: 2001-02-20 07:03:16 GMT Join with aliencode by replacing a "Lock" member that was only initialized when the lock was taken by calls to Lock, UnLock; with the latter also taking place if the former did not occur. Regression-Of: b2e465d6d32d2dc884f58b94acb7e35f671a87fe LP: #1794053 (cherry picked from commit e02297b8e22dae04872fe6fab6dba966de65dbba) (cherry picked from commit 248f70d425c4cd865d4bd54ab1134ccff8b68e36)
2018-09-28http: Stop pipeline after close only if it was not filled beforeJulian Andres Klode
It is perfectly valid behavior for a server to respond with Connection: close eventually, even when pipelining. Turning off pipelining due to that is wrong. For example, some Ubuntu mirrors close the connection after 101 requests. If I have more packages to install, only the first 101 would benefit from pipelining. This commit introduces a new check to only turn of pipelining for future connections if the pipeline for this connection did not have 3 successful fetches before, that should work quite well to detect broken server/proxy combinations like in bug 832113. (cherry picked from commit df696650b7a8c58bbd92e0e1619e956f21010a96) LP: #1794957 (cherry picked from commit 3de7454c796f245371c33076ae01529d6d36d715)
2018-09-28Set DPKG_FRONTEND_LOCKED as needed when doing selection changesJulian Andres Klode
We forgot to set the variable for the selection changes. Let's set it for that and some other dpkg calls. Regression-Of: c2c8b4787b0882234ba2772ec7513afbf97b563a (cherry picked from commit 55489885b51b02b7f74e601a393ecaefd1f71f9c) (cherry picked from commit d66bd6e5e9ae96676e805cce43937a0528cebe1b)
2018-09-28Add support for dpkg frontend lockJulian Andres Klode
The dpkg frontend lock is a lock dpkg tries to acquire except if the frontend already acquires it. This fixes a race condition in the install command where the dpkg lock is not held for a short period of time between different dpkg invocations. For this reason we also define an environment variable DPKG_FRONTEND_LOCKED for dpkg invocations so dpkg knows not to try to acquire the frontend lock because it's held by a parent process. We can set DPKG_FRONTEND_LOCKED only if the frontend lock really is held; that is, if our lock count is greater than 0 - otherwise an apt client not using the LockInner family of functions would run dpkg without the frontend lock set, but with DPKG_FRONTEND_LOCKED set. Such a process has a weaker guarantee: Because dpkg would not lock the frontend lock either, the process is prone to the existing races, and, more importantly, so is a new style process. Closes: #869546 [fixups: fix error messages, add public IsLocked() method, and make {Un,}LockInner return an error on !debSystem] (cherry picked from commit c2c8b4787b0882234ba2772ec7513afbf97b563a) LP: #1781169 (cherry picked from commit 6c0c94ed32b8e679b14b0f89b51c1c336dc0ab9c)
2018-09-28Support records larger than 32kb in 'apt show'David Kalnischkies
The default buffer size for pkgTagFile is 32kb which should be big enough for everything… expect for enormous lists of provides, resulting in: $ apt show librust-winapi-dev E: Unable to parse package file /var/lib/apt/lists/ftp.br.debian.org_debian_dists_unstable_main_binary-amd64_Packages (2) E: Internal Error, Unable to parse a package record The "apt-cache show" codepath uses instead a max size for all files, which seems a bit excessive, but works – using the max size for the file in question seems most appropriate. The patch is written for the 1.6.y series as a rewrite of the related code in the 1.7.y series (commit bf53f39c9a0221b670ffff74053ed36fc502d5a0) removed this problem before it was reported. Closes: #905527 LP: #1787120 (cherry picked from commit 409ceec9ed30cbebd8ece1ef7ce667ab5a32f9df)
2018-07-17apt.conf.autoremove: Add linux-cloud-tools to listJulian Andres Klode
LP: #1698159 (cherry picked from commit 923ba67464960940a19b24a341e896a9338161fb)
2018-06-26Release 1.2.271.2.27Julian Andres Klode
2018-06-25apt.conf.autoremove: Catch some new Ubuntu module packagesJulian Andres Klode
(cherry picked from commit 4ba9412d545232794bd7838e0174df8fda4152b8) LP: #1778551
2018-06-25Fix lock counting in debSystemJulian Andres Klode
debSystem uses a reference counted lock, so you can acquire it multiple times in your applications, possibly nested. Nesting locks causes a fd leak, though, as we only increment the lock count when we already have locked twice, rather than once, and hence when we call lock the second time, instead of increasing the lock count, we open another lock fd. This fixes the code to check if we have locked at all (> 0). There is no practical problem here aside from the fd leak, as closing the new fd releases the lock on the old one due to the weird semantics of fcntl locks. (cherry picked from commit 79f012bd09ae99d4c9d63dc0ac960376b5338b32) (cherry picked from commit 1edcb718293f24ad190703a345f8f868b6e3bcc4) LP: #1778547
2018-04-10don't hang if multiple sources use unavailable methodDavid Kalnischkies
APT clients always noticed if a method isn't supported and nowadays generate a message of the form: E: The method driver …/foobar could not be found. N: Is the package apt-transport-foobar installed? This only worked if a single source was using such an unavailable method through as we were registering the failed config the first round and the second would try to send requests to the not started method, which wouldn't work and hang instead (+ hiding the error messages as they would be shown only at the end of the execution). Closes: 870675 (cherry picked from commit e250a8d8d8ef2f8f8c5e2041f7645c49fba7aa36) (cherry picked from commit 281dbc8e481fbaeaf7310e0800468d4d212711b8) LP: #1762766
2018-03-06Release 1.2.261.2.26Julian Andres Klode
2018-03-06travis: Migrate to Docker to make CI work againJulian Andres Klode
This is based on 1.4.y, but with the old build system, and xenial as the base image.
2018-03-06Revert "http: A response with Content-Length: 0 has no content"Julian Andres Klode
This reverts commit dd547ebaffd2aceb42e2908f1d5f0ab386af6cb1. LP: #1751225
2017-09-26Release 1.2.25 to xenial1.2.25Julian Andres Klode
2017-09-13apt-daily: Pull in network-online.target in service, not timerJulian Andres Klode
There's no real point in pulling it in in the timer already, and it it somewhat saver to do so in the service. (cherry picked from commit 11417c1058e1b8441ee8f30f948e854b7a6ce89e) LP: #1716973 (cherry picked from commit 3e639687bbea08acd34f5a66dc99ea62848b7c17)
2017-09-13don't ask an uninit _system for supported archsDavid Kalnischkies
A libapt user who hasn't initialized _system likely has a reason, so we shouldn't greet back with a segfault usually deep down in the callstack for no reason. If the user had intended to pick up information from the system, _system wouldn't be uninitialized after all. LP: #1613184 SRU: 1.4.y (cherry picked from commit cba5c5a26a9bf00724f8ea647ac61b30e32734ba)
2017-09-13Gracefully terminate process when stopping apt-daily-upgradeBalint Reczey
The main process is guessed by systemd. This prevents killing dpkg run by unattended-upgrades in the middle of installing packages and ensures graceful shutdown. The timeout of 900 seconds after which apt-daily-upgrade.service is killed is in sync with unattended-upgrades's timer. LP: #1690980 (cherry picked from commit 78bc10d4702b30b46d802294ac43cffc34d9c431)
2017-09-13http: A response with Content-Length: 0 has no contentJulian Andres Klode
APT considered any response with a Content-Length to have a body, even if the value of the header was 0. A 0 length body however, is equal to no body. (cherry picked from commit d47fb34ae03566feec7fec6dccba80e45fa03e6f)
2017-09-13Reset failure reason when connection was successfulJulian Andres Klode
When APT was trying multiple addresses, any later error somewhere else would be reported with ConnectionRefused or ConnectionTimedOut as the FailReason because that was set by early connect attempts. This causes APT to handle the failures differently, leading to some weirdly breaking test cases (like the changed one). Add debugging to the previously failing test case so we can find out when something goes wrong there again. (cherry picked from commit d3a70c3e5ae68a0e5a3d4667dd1d0fc0887e6263)
2017-09-13use port from SRV record instead of initial portDavid Kalnischkies
An SRV record includes a portnumber to use with the host given, but apt was ignoring the portnumber and instead used either the port given by the user for the initial host or the default port for the service. In practice the service usually runs on another host on the default port, so it tends to work as intended and even if not and apt can't get a connection there it will gracefully fallback to contacting the initial host with the right port, so its a user invisible bug most of the time. (cherry picked from commit 9bdc09016f9570389451dd619d7e878bfeaa91df)
2017-09-13fix a "critical" typo in old changelog entryRobert Luberda
This typo exposes a bug in apt-listchanges that prevents commands like `apt-listchanges --show-all apt_*.deb' from showing the changelog. The bug will be fixed in next upload of apt-listchanges, but I think it would be nice have the typo fixed as well. Closes: 866358 (cherry picked from commit ec0ebf784d15821786334a4781d0b58b0b163363)
2017-06-19Release 1.2.241.2.24Julian Andres Klode
2017-06-19apt.systemd.daily: Use unattended-ugrade --download-only if availableJulian Andres Klode
Instead of passing -d, which enables a debugging mode; check if unattended-upgrade supports an option --download-only (which is yet to be implemented) and use that. Closes: #863859 Gbp-Dch: Full (cherry picked from commit 31c81a37ac6dceda0c94ce088b338b6b09afd5a4, cedf80c55766868eadc7ed59a27537c9a5d91edf) (cherry picked from commit 80b808940e69d2379d175da1aec97c3301cd0777)
2017-06-19Fix parsing of or groups in build-deps with ignored packagesJulian Andres Klode
If the last alternative(s) of an Or group is ignored, because it does not match an architecture list, we would end up keeping the or flag, effectively making the next AND an OR. For example, when parsing (on amd64): debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386] => debhelper (>= 9), libnacl-dev | Which can cause python-apt to crash. Even worse: debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386], foobar => debhelper (>= 9), libnacl-dev [amd64] | foobar By setting the previous alternatives Or flag to the current Or flag if the current alternative is ignored, we solve the issue. LP: #1694697 (cherry picked from commit 7ddf958e370d13f93edc6923bee289b2f6444b41) (cherry picked from commit 423ba4a958b9da02926e586bf59995817cafc32a)
2017-05-19Release 1.2.231.2.23Julian Andres Klode
2017-05-19apt.systemd.daily: Drop the LOCKFD variableJulian Andres Klode
Gbp-Dch: ignore (cherry picked from commit 3819004c2cb3893bfa136f3c44a5783c42cd2a8d) (cherry picked from commit 7e65cbfe4a073aa4e433681a8f52a3b87b31f63d)
2017-05-19apt.systemd.daily: fix error from locking codeAlan Jenkins
Error: pkgs that look like they should be upgraded: Error in function stop Traceback (most recent call last): File "/usr/lib/python3/dist-packages/apt/progress/text.py", line 240, in stop apt_pkg.size_to_str(self.current_cps))).rstrip("\n")) File "/usr/lib/python3/dist-packages/apt/progress/text.py", line 51, in _write self._file.write("\r") AttributeError: 'NoneType' object has no attribute 'write' fetch.run() result: 0 Caused by: LOCKFD=3 unattended_upgrades $LOCKFD>&- Unfortunately this code does not work, it is equivalent to unattended_upgrades 3 >&- I.e. it left fd 3 open, but closed stdout! Closes: #862567 (cherry picked from commit 7b4581cbe8fcf6e2bd56a27c5a7a1e6ea33d2973) (cherry picked from commit 3310f862cba0b997ede8fc4e2d270ab0f6b49e73)
2017-05-05Ubuntu release 1.2.221.2.22Julian Andres Klode
2017-05-05bash-completion: Fix spelling of autocleanMatt Kraai
Closes: #861846 (cherry picked from commit 6ff527b4f8c88ac406effb1d88fdb3c9ab42967b) (cherry picked from commit 732325f9d00cb5c32f4ba7a3d5524a467ff037b2)
2017-05-05Split apt-daily timer into twoJulian Andres Klode
The timer doing downloading runs throughout the day, whereas automatic upgrade and clean actions only happen in the morning. The upgrade service and timer have After= ordering requirements on their non-upgrade counterparts to ensure that upgrading at boot takes place after downloading. LP: #1686470 (cherry picked from commit 496313fb8e83af2ba71f6ce3d729be687c293dfd) (cherry picked from commit a234cfe1466066aa1f404cf01e544f16cb517846)
2017-05-05apt.systemd.daily: Add lockingJulian Andres Klode
Use a lock file to make sure only one instance of the script is running at the same time. (cherry picked from commit ea49b66372912354143b810e2826301d651a2b37) (cherry picked from commit 820b469f0648eaa63356a812cd96ca8c4af6ac71)
2017-05-05Run unattended-upgrade -d in download partJulian Andres Klode
We want to download the upgrades first, if unattended-upgrades is configured. We don't want to use the normal dist-upgrade -d thing for it, though, as unattended-upgrades only upgrades a subset. (cherry picked from commit 01e324a6893164feace153bc17fe6453b6fa97db) (cherry picked from commit f1f796a3c506400f54f4a39b6f43b0494cfb210c)
2017-05-05Allow the daily script to be run in two phasesJulian Andres Klode
This adds an argument to the script which may be update, install, or empty. In the update cases, downloads are performed. In the install case, installs are performed. If empty, both are run. Gbp-Dch: ignore (cherry picked from commit 007b22ee6fd33d9b03637577f8401a43c5e7c90c) (cherry picked from commit d02da9dcaa9daac2a29cf9d9ee3963bf6098fe4e)
2017-04-25Release 1.2.211.2.21Julian Andres Klode
2017-04-25apt-ftparchive: Support '.ddeb' dbgsym packagesUnit 193
(cherry picked from commit c832379bb1163800ed24412fbc19c53eea606a66) (cherry picked from commit 3e26e4e97a6f15bc0fbe16e67aa21165d96a5581)
2017-04-25systemd: Rework timing and add After=network-onlineJulian Andres Klode
The timeout values were so large that the timer could run at any random time of the day, possibly easily interfering with business hours, and causing trouble. Reduce them to 30 minutes of random delay and an accuracy to the default value (1 minute). Also drop the 18:00 event. People still actively use their device during that time, and for servers, there might be less attendance than in the regular 06:00 time slot, so longer time to fix things if something breaks. During a boot, the service might be run to catch up with a timer that would have normally elapsed. Due to no dependencies, it would have run before the network is online - that's bad. Adding an After and a Wants fixes that for boots, but still leaves the same issue for Resume. LP: #1615482 (cherry picked from commit b4f32b13055287d2ac46a08255db475af195b5f7) (cherry picked from commit 6267b47f85588fdd00f6e667598abe52887385ae)
2017-04-25Fix and avoid quoting in CommandLine::AsStringDavid Kalnischkies
In the intended usecase where this serves as a hack there is no problem with double/single quotes being present as we write it to a log file only, but nowadays our calling of apt-key produces a temporary config file containing this "setting" as well and suddently quoting is important as the config file syntax is allergic to it. So the fix is to ignore all quoting whatsoever in the input and just quote (with singles) the option values with spaces. That gives us 99% of the time the correct result and the 1% where the quote is an integral element of the option … doesn't exist – or has bigger problems than a log file not containing the quote. Same goes for newlines in values. LP: #1672710 (cherry picked from commit 2ce15bdeac6ee93faefd4b42b57f035bef80c567) (cherry picked from commit c75620dcfa749f8030e0180df44eec746402885d)
2017-04-25Ignore \.ucf-[a-z]+$ like we do for \.dpkg-[a-z]+$Julian Andres Klode
This gets rid of warnings about .ucf-dist files Reported-By: Axel Beckert (on IRC) (cherry picked from commit 5094697fe4b2459ff6f706a22006d3028369f3fa) (cherry picked from commit 0c42bab8534b4dc95dabdff2a8e08a3574291ec0)
2017-02-27Release 1.2.201.2.20Julian Andres Klode
2017-02-22Don't use -1 fd and AT_SYMLINK_NOFOLLOW for faccessat()Julian Andres Klode
-1 is not an allowed value for the file descriptor, the only allowed non-file-descriptor value is AT_FDCWD. So use that instead. AT_SYMLINK_NOFOLLOW has a weird semantic: It checks whether we have the specified access on the symbolic link. It also is implemented only by glibc on Linux, so it's inherently non-portable. We should just drop it. Thanks: James Clarke for debugging these issues Reported-by: James Clarke <jrtc27@jrtc27.com> (cherry picked from commit 25f54c960d7a4ceca7bd3e21f87baf48d6cbc2d3) (cherry picked from commit 21242490e80dadb167a64c1815c08e1d2258fb61)
2017-02-22Do not package names representing .dsc/.deb/... filesJulian Andres Klode
In the case of build-dep and other commands where a file can be passed we must make sure not to normalize the path name as that can have odd side effects, or well, cause the operation to do nothing. Test for build-dep-file is adjusted to perform the vcard check once as "vcard" and once as "VCard", thus testing that this solves the reported bug. We inline the std::transform() and optimize it a bit to not write anything in the common case (package names are defined to be lowercase, the whole transformation is just for names that should not exist...) to counter the performance hit of the added find() call (it's about 0.15% more instructions than with the existing transform, but we save about 0.67% in writes...). Closes: #854794 (cherry picked from commit 85ee4036c68d8ecd2c973d413a17aca81380900b) (cherry picked from commit 83e6e1a8fc942668f9a01906cb8349fb70a45b3d)
2017-02-22Only merge acquire items with the same meta keyJulian Andres Klode
Since the introduction of by-hash, two differently named files might have the same real URL. In our case, the files icons-64x64.tar.gz and icons-128x128.tar.gz of empty tarballs. APT would try to merge them and end with weird errors because it completed the first download and enters the second stage for decompressing and verifying. After that it would queue a new item to copy the original file to the location, but that copy item would be in the wrong stage, causing it to use the hashes for the decompressed item. Closes: #838441 (cherry picked from commit 7b78e8bef1fc9de22d826db1db9df25f97d3710c) (cherry picked from commit d2749c845954fc1ea38133b050ee49d6f6544235)
2017-02-22COPYING.GPL: Update to recent version (address, LGPL name)Julian Andres Klode
Just copied over from common-licenses. Seems we missed to do that earlier. Gbp-Dch: ignore (cherry picked from commit 84285d17bab32a0ceafe31a5b2be61cc4f520b42) (cherry picked from commit e87c862cbd3aee8200f9752a0023ff53312e6dbd)
2017-02-22travis: Run test suites for root and user in separate build jobsJulian Andres Klode
This hopefully cuts down on the test time. Optimally, we'd just have one build job and parallize, but that requires a tty or something, probably due to GNU parallel? Gbp-Dch: ignore (cherry picked from commit 9b7c71f145e51c2d655ef09fca434d02db08331d) (cherry picked from commit e12dbcbaf486d176762d82f75307b9f5dfa66752)
2017-02-22basehttp: Only read Content-Range on 416 and 206 responsesJulian Andres Klode
This fixes issues with sourceforge where the redirector includes such a Content-Range in a 302 redirect. Since we do not really know what file is meant in a redirect, let's just ignore it for all responses other than 416 and 206. Maybe we should also get rid of the other errors, and just ignore the field in those cases as well? LP: #1657567 (cherry picked from commit 4759a702081297bde66982efed8b2b7fd39ca27c) (cherry picked from commit b5d0e1be09fd07e693bae8046848059f578d029f)