Age | Commit message (Collapse) | Author |
|
This is safe here, as the code ensures that the file is flushed
before it is being used. The next series should probably make
GetTempFile() buffer writes by default.
|
|
A pin of -32768 overrides any other, disables repo
See merge request apt-team/apt!40
|
|
This new field allows a repository to declare that access to
packages requires authorization. The current implementation will
set the pin to -32768 if no authorization has been provided in
the auth.conf(.d) files.
This implementation is suboptimal in two aspects:
(1) A repository should behave more like NotSource repositories
(2) We only have the host name for the repository, we cannot use
paths yet.
- We can fix those after an ABI break.
The code also adds a check to acquire-item.cc to not use the
specified repository as a download source, mimicking NotSource.
|
|
This allows disabling a repository by pinning it to 'never',
which is internally translated to a value of -32768 (or whatever
the minimum of short is).
This overrides any other pin for that repository. It can be used
to make sure certain sources are never used; for example, in
unattended-upgrades.
To prevent semantic changes to existing files, we substitute
min + 1 for every pin-priority: <min>. This is a temporary
solution, as we are waiting for an ABI break.
To add pins with that value, the special Pin-Priority
"never" may be used for now. It's unclear if that will
persist, or if the interface will change eventually.
|
|
Fail if InRelease or Release.gpg contain unsigned lines
See merge request apt-team/apt!45
|
|
Closes: #921008
Reviewed-By: Debian L10n French <debian-l10n-french@lists.debian.org>
|
|
Closes: #921011
|
|
Implementing a parser with recursion isn't the best idea, but in
practice we should get away with it for the time being to avoid
needless codechurn.
Closes: #920317 #921037
|
|
It is dropped in the merged code, but the extraction of the clearsigned
message code was the only one who had it previously, so the short-desc
explains the change from a before-after merge of the branch PoV.
It would make sense to enable it, but as we aren't in a time critical
paths here we can delay this for after buster to avoid problems.
References: 73e3459689c05cd62f15c29d2faddb0fc215ef5e
Suggested-By: Julian Andres Klode
|
|
Suggested-By: Julian Andres Klode
Gbp-Dch: Ignore
|
|
Verify data being sent by methods in SendMessage()
See merge request apt-team/apt!48
|
|
These methods are not supposed to be used anymore, they are
not actively maintained and may hence contain odd bugs.
Fixes !49
|
|
As a follow-up for CVE-2019-3462, add checks similar to those
for redirect to the central SendMessage() function. The checks
are a bit more relaxed for values - they may include newlines
and unicode characters (newlines get rewritten, so are safe).
For keys and the message header, the checks are far more strict:
They may only contain alphanumerical characters, the hyphen-minus,
and the horizontal space.
In case the method tries to send anything else, we construct a
legal 400 URI Failed response, and send that. We specifically do
not include the item URI, in case it has been compromised (that
would cause infinite recursion).
|
|
No effective change in behaviour, just simplifying and reusing code.
Suggested-By: Julian Andres Klode
Gbp-Dch: Ignore
|
|
No change in the logic itself, just dropping "== true", replacing "==
false" with not and moving lines around to make branches more obvious.
Suggested-By: Julian Andres Klode
Gbp-Dch: Ignore
|
|
private-json-hooks.cc: deal with EPIPE
See merge request apt-team/apt!47
|
|
While running our CI we noticed that sometimes we see an error
from the new json hooks code. The error message is:
```
E: Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true: Broken pipe
```
when purging the snapd package which provides the hook. This indicates
that we should probably also consider EPIPE not an error (just like
we do for ECONNRESET). This PR does exactly this.
|
|
We support dash-encoding even if we don't really work with files who
would need it as implementations are free to encode every line, but
otherwise a line starting with a dash must either be a header we parse
explicitly or the file is refused. This is against the RFC which says
clients should warn on such files, but given that we aren't expecting
any files with dash-started lines to begin with this looks a lot like a
we should not continue to touch the file as it smells like an attempt to
confuse different parsers by "hiding" headers in-between others.
The other slightly more reasonable explanation would be an armor header
key starting with a dash, but no existing key does that and it seems
unlikely that this could ever happen. Also, it is recommended that
clients warn about unknown keys, so new appearance is limited.
|
|
This is C++, so we can use a bit more abstraction to let the code
look a tiny bit nicer hopefully improving readability a bit.
Gbp-Dch: Ignore
|
|
RFC 4880 section 7.1 "Dash-Escaped Text" at the end defines that only
space and tab are allowed, so we should remove only these even if due to
use complaining (or now failing) you can't really make use of it.
Note that strrstrip was removing '\r\n\t ', not other whitespaces like
\v or \f and another big reason to do it explicitly here now is to avoid
that a future change adding those could have unintended consequences.
|
|
Add a "reinstall" command as an alias for "install --reinstall".
See merge request apt-team/apt!46
|
|
aptitude has a similar "reinstall" command for precedent.
|
|
Having many rather similar implementations especially if one is exported
while others aren't (and the rest of it not factored out at all) seems
suboptimal.
|
|
The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can
contain additional content beside the expected detached signature(s).
We were passing the file unchecked to gpgv which ignores these extras
without complains, so we reuse the same line-reading implementation we
use for InRelease splitting to detect if a Release.gpg file contains
unexpected data and fail in this case given that we in the previous
commit we established that we fail in the similar InRelease case now.
|
|
The warnings were introduced 2 years ago without any reports from the
wild about them actually appearing for anyone, so now seems to be an as
good time as any to switch them to errors.
This allows rewritting the code by failing earlier instead of trying to
keep going which makes the diff a bit hard to follow but should help
simplifying reasoning about it.
References: 6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3
|
|
|
|
apt Debian release 1.8.0~alpha3.1
|
|
|
|
This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:
(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
\n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
sending them out), writting something like
somewhere\n
<headers>
into its output
(3) apt then uses the headers injected for validation purposes.
Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353
(cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b)
|
|
|
|
Not needed since quite some time.
|
|
Report keys used to sign file from gpgv method to acquire system
See merge request apt-team/apt!44
|
|
This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:
(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
\n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
sending them out), writting something like
somewhere\n
<headers>
into its output
(3) apt then uses the headers injected for validation purposes.
Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353
|
|
Move everything up one "old", and change testing to be
bullseye.
|
|
This prepares us for the upcoming buster release, as buster
is the main release series for this series (the other being
Ubuntu disco).
|
|
LP: #1812696
|
|
Telling the acquire system which keys caused the gpgv method to
succeed allows us for now just a casual check if the gpgv method
really executed catching bugs like CVE-2018-0501, but we will make use
of the information for better features in the following commits.
|
|
Having a method take a bunch of string vectors is bad style, so we
change this to a wrapping struct and adapt the rest of the code brushing
it up slightly in the process, which results even in a slightly "better"
debug output, no practical change otherwise.
Gbp-Dch: Ignore
|
|
|
|
|
|
|
|
In C++17 `register` keyword was removed. Current gcc 8.1.0 produces
following warning if `-std=c++17` flag is used:
warning: ISO C++17 does not allow 'register' storage class specifier
[-Wregister]
GCC almost completely ignores `register` keyword, with rare exception of
`-O0` when additional copy from/to stack may be generated.
For simplicity of the codebase it is better to just remove this
problematic keyword where it is not strictly required.
See: http://en.cppreference.com/w/cpp/language/storage_duration
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
apt-mark minimize-manual
See merge request apt-team/apt!39
|
|
zh_CN.po: Update Simplified Chinese programs translation.
See merge request apt-team/apt!43
|
|
|
|
This visits dependencies of all manually installed metapackages,
as determined by APT::Never-MarkAuto-Sections, and marks them as
automatically installed. It can be used to clean up autoflags after
a d-i install, for example.
|
|
This used to be "apt-cache stats does not take any arguments", but
replace "apt-cache stats" with "%s" so we can reuse it for other
commands.
Gbp-Dch: ignore
|
|
We need to show a yes/no prompt in minimize-manual, and
pretty package names, so export them here.
Gbp-Dch: ignore
|
|
|
|
Pu/speedups
See merge request apt-team/apt!42
|