Age | Commit message (Collapse) | Author |
|
This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:
(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
\n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
sending them out), writting something like
somewhere\n
<headers>
into its output
(3) apt then uses the headers injected for validation purposes.
Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353
|
|
|
|
Some post-invoke scripts install packages, which fails because
the environment variable is not set. This sets the variable for
all three kinds of scripts {pre,post-}invoke and pre-install-pkgs,
but we will only allow post-invoke at a later time.
Gbp-Dch: full
(cherry picked from commit 6675601c81de85b40dc89772c1d6d17f1811c5ba)
LP: #1796808
(cherry picked from commit 0ce6bc5ec70ff84eb2829f91f286a93687e77a46)
|
|
|
|
(cherry picked from commit 2e7af714deea25fe9c85b491814862301d01816b)
|
|
pkgCacheFile's destructor unlocks the system, which is confusing
if you did not open the cachefile with WithLock set. Create a private
data instance that holds the value of WithLock.
This regression was introduced in commit b2e465d6d32d2dc884f58b94acb7e35f671a87fe:
Join with aliencode
Author: jgg
Date: 2001-02-20 07:03:16 GMT
Join with aliencode
by replacing a "Lock" member that was only initialized when the lock
was taken by calls to Lock, UnLock; with the latter also taking place
if the former did not occur.
Regression-Of: b2e465d6d32d2dc884f58b94acb7e35f671a87fe
LP: #1794053
(cherry picked from commit e02297b8e22dae04872fe6fab6dba966de65dbba)
(cherry picked from commit 248f70d425c4cd865d4bd54ab1134ccff8b68e36)
|
|
It is perfectly valid behavior for a server to respond with
Connection: close eventually, even when pipelining. Turning
off pipelining due to that is wrong. For example, some Ubuntu
mirrors close the connection after 101 requests. If I have
more packages to install, only the first 101 would benefit
from pipelining.
This commit introduces a new check to only turn of pipelining
for future connections if the pipeline for this connection did
not have 3 successful fetches before, that should work quite well to
detect broken server/proxy combinations like in bug 832113.
(cherry picked from commit df696650b7a8c58bbd92e0e1619e956f21010a96)
LP: #1794957
(cherry picked from commit 3de7454c796f245371c33076ae01529d6d36d715)
|
|
We forgot to set the variable for the selection changes. Let's
set it for that and some other dpkg calls.
Regression-Of: c2c8b4787b0882234ba2772ec7513afbf97b563a
(cherry picked from commit 55489885b51b02b7f74e601a393ecaefd1f71f9c)
(cherry picked from commit d66bd6e5e9ae96676e805cce43937a0528cebe1b)
|
|
The dpkg frontend lock is a lock dpkg tries to acquire
except if the frontend already acquires it.
This fixes a race condition in the install command where the
dpkg lock is not held for a short period of time between
different dpkg invocations.
For this reason we also define an environment variable
DPKG_FRONTEND_LOCKED for dpkg invocations so dpkg knows
not to try to acquire the frontend lock because it's held
by a parent process.
We can set DPKG_FRONTEND_LOCKED only if the frontend lock
really is held; that is, if our lock count is greater than 0
- otherwise an apt client not using the LockInner family of
functions would run dpkg without the frontend lock set, but
with DPKG_FRONTEND_LOCKED set. Such a process has a weaker
guarantee: Because dpkg would not lock the frontend lock
either, the process is prone to the existing races, and,
more importantly, so is a new style process.
Closes: #869546
[fixups: fix error messages, add public IsLocked() method, and
make {Un,}LockInner return an error on !debSystem]
(cherry picked from commit c2c8b4787b0882234ba2772ec7513afbf97b563a)
LP: #1781169
(cherry picked from commit 6c0c94ed32b8e679b14b0f89b51c1c336dc0ab9c)
|
|
The default buffer size for pkgTagFile is 32kb which should be big
enough for everything… expect for enormous lists of provides,
resulting in:
$ apt show librust-winapi-dev
E: Unable to parse package file /var/lib/apt/lists/ftp.br.debian.org_debian_dists_unstable_main_binary-amd64_Packages (2)
E: Internal Error, Unable to parse a package record
The "apt-cache show" codepath uses instead a max size for all files,
which seems a bit excessive, but works – using the max size for the file
in question seems most appropriate.
The patch is written for the 1.6.y series as a rewrite of the related
code in the 1.7.y series (commit bf53f39c9a0221b670ffff74053ed36fc502d5a0)
removed this problem before it was reported.
Closes: #905527
LP: #1787120
(cherry picked from commit 409ceec9ed30cbebd8ece1ef7ce667ab5a32f9df)
|
|
LP: #1698159
(cherry picked from commit 923ba67464960940a19b24a341e896a9338161fb)
|
|
|
|
(cherry picked from commit 4ba9412d545232794bd7838e0174df8fda4152b8)
LP: #1778551
|
|
debSystem uses a reference counted lock, so you can acquire it
multiple times in your applications, possibly nested. Nesting
locks causes a fd leak, though, as we only increment the lock
count when we already have locked twice, rather than once, and
hence when we call lock the second time, instead of increasing
the lock count, we open another lock fd.
This fixes the code to check if we have locked at all (> 0).
There is no practical problem here aside from the fd leak, as
closing the new fd releases the lock on the old one due to the
weird semantics of fcntl locks.
(cherry picked from commit 79f012bd09ae99d4c9d63dc0ac960376b5338b32)
(cherry picked from commit 1edcb718293f24ad190703a345f8f868b6e3bcc4)
LP: #1778547
|
|
APT clients always noticed if a method isn't supported and nowadays
generate a message of the form:
E: The method driver …/foobar could not be found.
N: Is the package apt-transport-foobar installed?
This only worked if a single source was using such an unavailable method
through as we were registering the failed config the first round and
the second would try to send requests to the not started method, which
wouldn't work and hang instead (+ hiding the error messages as they would
be shown only at the end of the execution).
Closes: 870675
(cherry picked from commit e250a8d8d8ef2f8f8c5e2041f7645c49fba7aa36)
(cherry picked from commit 281dbc8e481fbaeaf7310e0800468d4d212711b8)
LP: #1762766
|
|
|
|
This is based on 1.4.y, but with the old build system, and
xenial as the base image.
|
|
This reverts commit dd547ebaffd2aceb42e2908f1d5f0ab386af6cb1.
LP: #1751225
|
|
|
|
There's no real point in pulling it in in the timer already,
and it it somewhat saver to do so in the service.
(cherry picked from commit 11417c1058e1b8441ee8f30f948e854b7a6ce89e)
LP: #1716973
(cherry picked from commit 3e639687bbea08acd34f5a66dc99ea62848b7c17)
|
|
A libapt user who hasn't initialized _system likely has a reason, so we
shouldn't greet back with a segfault usually deep down in the callstack
for no reason. If the user had intended to pick up information from the
system, _system wouldn't be uninitialized after all.
LP: #1613184
SRU: 1.4.y
(cherry picked from commit cba5c5a26a9bf00724f8ea647ac61b30e32734ba)
|
|
The main process is guessed by systemd. This prevents killing dpkg
run by unattended-upgrades in the middle of installing packages
and ensures graceful shutdown.
The timeout of 900 seconds after which apt-daily-upgrade.service
is killed is in sync with unattended-upgrades's timer.
LP: #1690980
(cherry picked from commit 78bc10d4702b30b46d802294ac43cffc34d9c431)
|
|
APT considered any response with a Content-Length to have a
body, even if the value of the header was 0. A 0 length body
however, is equal to no body.
(cherry picked from commit d47fb34ae03566feec7fec6dccba80e45fa03e6f)
|
|
When APT was trying multiple addresses, any later error
somewhere else would be reported with ConnectionRefused
or ConnectionTimedOut as the FailReason because that
was set by early connect attempts. This causes APT to
handle the failures differently, leading to some weirdly
breaking test cases (like the changed one).
Add debugging to the previously failing test case so
we can find out when something goes wrong there again.
(cherry picked from commit d3a70c3e5ae68a0e5a3d4667dd1d0fc0887e6263)
|
|
An SRV record includes a portnumber to use with the host given, but apt
was ignoring the portnumber and instead used either the port given by
the user for the initial host or the default port for the service.
In practice the service usually runs on another host on the default
port, so it tends to work as intended and even if not and apt can't get
a connection there it will gracefully fallback to contacting the initial
host with the right port, so its a user invisible bug most of the time.
(cherry picked from commit 9bdc09016f9570389451dd619d7e878bfeaa91df)
|
|
This typo exposes a bug in apt-listchanges that prevents commands like
`apt-listchanges --show-all apt_*.deb' from showing the changelog.
The bug will be fixed in next upload of apt-listchanges, but I think
it would be nice have the typo fixed as well.
Closes: 866358
(cherry picked from commit ec0ebf784d15821786334a4781d0b58b0b163363)
|
|
|
|
Instead of passing -d, which enables a debugging mode; check if
unattended-upgrade supports an option --download-only (which is yet
to be implemented) and use that.
Closes: #863859
Gbp-Dch: Full
(cherry picked from commit 31c81a37ac6dceda0c94ce088b338b6b09afd5a4,
cedf80c55766868eadc7ed59a27537c9a5d91edf)
(cherry picked from commit 80b808940e69d2379d175da1aec97c3301cd0777)
|
|
If the last alternative(s) of an Or group is ignored, because it does
not match an architecture list, we would end up keeping the or flag,
effectively making the next AND an OR.
For example, when parsing (on amd64):
debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386]
=> debhelper (>= 9), libnacl-dev |
Which can cause python-apt to crash.
Even worse:
debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386], foobar
=> debhelper (>= 9), libnacl-dev [amd64] | foobar
By setting the previous alternatives Or flag to the current Or flag
if the current alternative is ignored, we solve the issue.
LP: #1694697
(cherry picked from commit 7ddf958e370d13f93edc6923bee289b2f6444b41)
(cherry picked from commit 423ba4a958b9da02926e586bf59995817cafc32a)
|
|
|
|
Gbp-Dch: ignore
(cherry picked from commit 3819004c2cb3893bfa136f3c44a5783c42cd2a8d)
(cherry picked from commit 7e65cbfe4a073aa4e433681a8f52a3b87b31f63d)
|
|
Error:
pkgs that look like they should be upgraded:
Error in function stop
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apt/progress/text.py", line 240,
in stop
apt_pkg.size_to_str(self.current_cps))).rstrip("\n"))
File "/usr/lib/python3/dist-packages/apt/progress/text.py", line 51,
in _write
self._file.write("\r")
AttributeError: 'NoneType' object has no attribute 'write'
fetch.run() result: 0
Caused by:
LOCKFD=3
unattended_upgrades $LOCKFD>&-
Unfortunately this code does not work, it is equivalent to
unattended_upgrades 3 >&-
I.e. it left fd 3 open, but closed stdout!
Closes: #862567
(cherry picked from commit 7b4581cbe8fcf6e2bd56a27c5a7a1e6ea33d2973)
(cherry picked from commit 3310f862cba0b997ede8fc4e2d270ab0f6b49e73)
|
|
|
|
Closes: #861846
(cherry picked from commit 6ff527b4f8c88ac406effb1d88fdb3c9ab42967b)
(cherry picked from commit 732325f9d00cb5c32f4ba7a3d5524a467ff037b2)
|
|
The timer doing downloading runs throughout the day, whereas
automatic upgrade and clean actions only happen in the morning.
The upgrade service and timer have After= ordering requirements
on their non-upgrade counterparts to ensure that upgrading at
boot takes place after downloading.
LP: #1686470
(cherry picked from commit 496313fb8e83af2ba71f6ce3d729be687c293dfd)
(cherry picked from commit a234cfe1466066aa1f404cf01e544f16cb517846)
|
|
Use a lock file to make sure only one instance of the
script is running at the same time.
(cherry picked from commit ea49b66372912354143b810e2826301d651a2b37)
(cherry picked from commit 820b469f0648eaa63356a812cd96ca8c4af6ac71)
|
|
We want to download the upgrades first, if unattended-upgrades
is configured. We don't want to use the normal dist-upgrade -d
thing for it, though, as unattended-upgrades only upgrades a
subset.
(cherry picked from commit 01e324a6893164feace153bc17fe6453b6fa97db)
(cherry picked from commit f1f796a3c506400f54f4a39b6f43b0494cfb210c)
|
|
This adds an argument to the script which may be update, install,
or empty. In the update cases, downloads are performed. In the
install case, installs are performed. If empty, both are run.
Gbp-Dch: ignore
(cherry picked from commit 007b22ee6fd33d9b03637577f8401a43c5e7c90c)
(cherry picked from commit d02da9dcaa9daac2a29cf9d9ee3963bf6098fe4e)
|
|
|
|
(cherry picked from commit c832379bb1163800ed24412fbc19c53eea606a66)
(cherry picked from commit 3e26e4e97a6f15bc0fbe16e67aa21165d96a5581)
|
|
The timeout values were so large that the timer could run at any
random time of the day, possibly easily interfering with business
hours, and causing trouble. Reduce them to 30 minutes of random
delay and an accuracy to the default value (1 minute).
Also drop the 18:00 event. People still actively use their device
during that time, and for servers, there might be less attendance
than in the regular 06:00 time slot, so longer time to fix things
if something breaks.
During a boot, the service might be run to catch up with a timer
that would have normally elapsed. Due to no dependencies, it would
have run before the network is online - that's bad. Adding an After
and a Wants fixes that for boots, but still leaves the same issue
for Resume.
LP: #1615482
(cherry picked from commit b4f32b13055287d2ac46a08255db475af195b5f7)
(cherry picked from commit 6267b47f85588fdd00f6e667598abe52887385ae)
|
|
In the intended usecase where this serves as a hack there is no problem
with double/single quotes being present as we write it to a log file
only, but nowadays our calling of apt-key produces a temporary config
file containing this "setting" as well and suddently quoting is
important as the config file syntax is allergic to it.
So the fix is to ignore all quoting whatsoever in the input and just
quote (with singles) the option values with spaces. That gives us 99% of
the time the correct result and the 1% where the quote is an integral
element of the option … doesn't exist – or has bigger problems than a
log file not containing the quote. Same goes for newlines in values.
LP: #1672710
(cherry picked from commit 2ce15bdeac6ee93faefd4b42b57f035bef80c567)
(cherry picked from commit c75620dcfa749f8030e0180df44eec746402885d)
|
|
This gets rid of warnings about .ucf-dist files
Reported-By: Axel Beckert (on IRC)
(cherry picked from commit 5094697fe4b2459ff6f706a22006d3028369f3fa)
(cherry picked from commit 0c42bab8534b4dc95dabdff2a8e08a3574291ec0)
|
|
|
|
-1 is not an allowed value for the file descriptor, the only
allowed non-file-descriptor value is AT_FDCWD. So use that
instead.
AT_SYMLINK_NOFOLLOW has a weird semantic: It checks whether
we have the specified access on the symbolic link. It also
is implemented only by glibc on Linux, so it's inherently
non-portable. We should just drop it.
Thanks: James Clarke for debugging these issues
Reported-by: James Clarke <jrtc27@jrtc27.com>
(cherry picked from commit 25f54c960d7a4ceca7bd3e21f87baf48d6cbc2d3)
(cherry picked from commit 21242490e80dadb167a64c1815c08e1d2258fb61)
|
|
In the case of build-dep and other commands where a file can be
passed we must make sure not to normalize the path name as that
can have odd side effects, or well, cause the operation to do
nothing.
Test for build-dep-file is adjusted to perform the vcard check
once as "vcard" and once as "VCard", thus testing that this
solves the reported bug.
We inline the std::transform() and optimize it a bit to not
write anything in the common case (package names are defined
to be lowercase, the whole transformation is just for names
that should not exist...) to counter the performance hit of
the added find() call (it's about 0.15% more instructions
than with the existing transform, but we save about 0.67%
in writes...).
Closes: #854794
(cherry picked from commit 85ee4036c68d8ecd2c973d413a17aca81380900b)
(cherry picked from commit 83e6e1a8fc942668f9a01906cb8349fb70a45b3d)
|
|
Since the introduction of by-hash, two differently named
files might have the same real URL. In our case, the files
icons-64x64.tar.gz and icons-128x128.tar.gz of empty tarballs.
APT would try to merge them and end with weird errors because
it completed the first download and enters the second stage for
decompressing and verifying. After that it would queue a new item
to copy the original file to the location, but that copy item would
be in the wrong stage, causing it to use the hashes for the
decompressed item.
Closes: #838441
(cherry picked from commit 7b78e8bef1fc9de22d826db1db9df25f97d3710c)
(cherry picked from commit d2749c845954fc1ea38133b050ee49d6f6544235)
|
|
Just copied over from common-licenses. Seems we missed to do
that earlier.
Gbp-Dch: ignore
(cherry picked from commit 84285d17bab32a0ceafe31a5b2be61cc4f520b42)
(cherry picked from commit e87c862cbd3aee8200f9752a0023ff53312e6dbd)
|
|
This hopefully cuts down on the test time. Optimally, we'd just have
one build job and parallize, but that requires a tty or something,
probably due to GNU parallel?
Gbp-Dch: ignore
(cherry picked from commit 9b7c71f145e51c2d655ef09fca434d02db08331d)
(cherry picked from commit e12dbcbaf486d176762d82f75307b9f5dfa66752)
|
|
This fixes issues with sourceforge where the redirector includes
such a Content-Range in a 302 redirect. Since we do not really know
what file is meant in a redirect, let's just ignore it for all
responses other than 416 and 206.
Maybe we should also get rid of the other errors, and just ignore
the field in those cases as well?
LP: #1657567
(cherry picked from commit 4759a702081297bde66982efed8b2b7fd39ca27c)
(cherry picked from commit b5d0e1be09fd07e693bae8046848059f578d029f)
|