summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-08-20clear alternative URIs for mirror:// between steps (CVE-2018-0501)David Kalnischkies
APT in 1.6 saw me rewriting the mirror:// transport method, which works comparable to the decommissioned httpredir.d.o "just" that apt requests a mirror list and performs all the redirections internally with all the bells like parallel download and automatic fallback (more details in the apt-transport-mirror manpage included in the 1.6 release). The automatic fallback is the problem here: The intend is that if a file fails to be downloaded (e.g. because the mirror is offline, broken, out-of-sync, …) instead of erroring out the next mirror in the list is contacted for a retry of the download. Internally the acquire process of an InRelease file (works with the Release/Release.gpg pair, too) happens in steps: 1) download file and 2) verify file, both handled as URL requests passed around. Due to an oversight the fallbacks for the first step are still active for the second step, so that the successful download from another mirror stands in for the failed verification… *facepalm* Note that the attacker can not judge by the request arriving for the InRelease file if the user is using the mirror method or not. If entire traffic is observed Eve might be able to observe the request for a mirror list, but that might or might not be telling if following requests for InRelease files will be based on that list or for another sources.list entry not using mirror (Users have also the option to have the mirror list locally (via e.g. mirror+file://) instead of on a remote host). If the user isn't using mirror:// for this InRelease file apt will fail very visibly as intended. (The mirror list needs to include at least two mirrors and to work reliably the attacker needs to be able to MITM all mirrors in the list. For remotely accessed mirror lists this is no limitation as the attacker is in full control of the file in that case) Fixed by clearing the alternatives after a step completes (and moving a pimpl class further to the top to make that valid compilable code). mirror:// is at the moment the only method using this code infrastructure (for all others this set is already empty) and the only method-independent user so far is the download of deb files, but those are downloaded and verified in a single step; so there shouldn't be much opportunity for regression here even through a central code area is changed. Upgrade instructions: Given all apt-based frontends are affected, even additional restrictions like signed-by are bypassed and the attack in progress is hardly visible in the progress reporting of an update operation (the InRelease file is marked "Ign", but no fallback to "Release/Release.gpg" is happening) and leaves no trace (expect files downloaded from the attackers repository of course) the best course of action might be to change the sources.list to not use the mirror family of transports ({tor+,…}mirror{,+{http{,s},file,…}}) until a fixed version of the src:apt packages are installed. Regression-Of: 355e1aceac1dd05c4c7daf3420b09bd860fd169d, 57fa854e4cdb060e87ca265abd5a83364f9fa681 LP: #1787752
2018-08-20Update symbolsJulian Andres Klode
2018-08-19Report (soon) worthless keys if gpg uses fpr for GOODSIGDavid Kalnischkies
gpgs DETAILS documentation file declares that GOODSIG could report keyid or fingerprint since gpg2, but for the time being it is still keyid only. Who knows if that will ever change as that feels like an interface break with dangerous security implications, but lets be better safe than sorry especially as the code dealing with signed-by keyids is prepared for this already. This code is rewritten still to have them all use the same code for this type of problem.
2018-08-19test: Supports records larger than 32kb in 'apt show'David Kalnischkies
The 1.7 series rework of show started in bf53f39c9a0221b670ffff74053ed36fc502d5a0 resolved the issue already, but its always a good idea to at least bring the tests along so that we hopeful do not regress in the future with another rewrite. Tests: #905527 Gbp-Dch: Ignore
2018-08-19Simplified Chinese program translation updateBoyuan Yang
Reviewed-by: Mo Zhou <cdluminate@gmail.com> Closes: #903695
2018-08-19aptwebserver: Prefetch compressors to avoid thread crashesDavid Kalnischkies
If multiple threads act on requests (like if connection comes from a webbrowser) a thread might request the supported compressors while another thread is still working on creating the list to be stored in the static cache variable. As the price to pay for atomic and co seems to high for the fringe usecase of manual usage of aptwebserver the patch just makes a call to generate the list while still single threaded. Gbp-Dch: Ignore
2018-08-14CMake: Use ${PROJECT_NAME} instead of hardcoding aptDavid Kalnischkies
Completely pointless as it makes no difference for apt, but copying the file to other projects becomes a lot easier. Gbp-Dch: Ignore
2018-08-08Set DPKG_FRONTEND_LOCKED as needed when doing selection changesJulian Andres Klode
We forgot to set the variable for the selection changes. Let's set it for that and some other dpkg calls. Regression-Of: c2c8b4787b0882234ba2772ec7513afbf97b563a
2018-08-07Merge branch 'bugfix/big-lock' into 'master'Julian Andres Klode
Add support for dpkg frontend lock See merge request apt-team/apt!11
2018-08-07Add support for dpkg frontend lockJulian Andres Klode
The dpkg frontend lock is a lock dpkg tries to acquire except if the frontend already acquires it. This fixes a race condition in the install command where the dpkg lock is not held for a short period of time between different dpkg invocations. For this reason we also define an environment variable DPKG_FRONTEND_LOCKED for dpkg invocations so dpkg knows not to try to acquire the frontend lock because it's held by a parent process. We can set DPKG_FRONTEND_LOCKED only if the frontend lock really is held; that is, if our lock count is greater than 0 - otherwise an apt client not using the LockInner family of functions would run dpkg without the frontend lock set, but with DPKG_FRONTEND_LOCKED set. Such a process has a weaker guarantee: Because dpkg would not lock the frontend lock either, the process is prone to the existing races, and, more importantly, so is a new style process. Closes: #869546 [fixups: fix error messages, add public IsLocked() method, and make {Un,}LockInner return an error on !debSystem]
2018-08-07Merge branch 'master' into 'master'Julian Andres Klode
Add trailing newline to output of edit-sources. See merge request apt-team/apt!22
2018-07-09Release 1.7.0~alpha21.7.0_alpha2Julian Andres Klode
2018-07-06Use cheaper entropy source for randomizing items to fetchJulian Andres Klode
The random_device fails if not enough entropy is available. We do not need high-quality entropy here, though, so let's switch to a seed based on the current time in nanoseconds, XORed with the PID.
2018-06-30Add trailing newline to output of edit-sources.Jean-Ralph Aviles
Makes the console output cleaner.
2018-06-28Merge branch 'pu/lp1776218-allow-hooks-to-not-handshake' into 'master'Julian Andres Klode
Handle JSON hooks that just close the file/exit and fix some other errors See merge request apt-team/apt!21
2018-06-27Handle JSON hooks that just close the file/exit and fix some other errorsJulian Andres Klode
JSON hooks might disappear and the common idiom to work around hooks disappearing is to check for the hook in the shell snippet that is in the apt.conf file and if it does not exist, do nothing. This caused APT to fail however, expecting it to acknowledge the handshake. Ignoring ECONNRESET on handshakes solves the problem. The error case, and the other error cases also did not stop execution of the hook, causing more errors to pile up. Fix this by directly going to the closing part of the code. LP: #1776218
2018-06-25Release 1.7.0~alpha11.7.0_alpha1Julian Andres Klode
2018-06-25gitlab-ci: chmod 755 /rootJulian Andres Klode
This should avoid test failures on ubuntu:bionic
2018-06-25Ensure that we are online in apt-daily-upgrade.serviceJulian Andres Klode
Installer packages need us to be online, or they are blocking shutdowns in the worst case :( LP: #1723761
2018-06-25CI: Export DEBIAN_FRONTEND=noninteractive in all CI environmentsJulian Andres Klode
This ensures that we don't hang waiting for debconf.
2018-06-13Fix lock counting in debSystemJulian Andres Klode
debSystem uses a reference counted lock, so you can acquire it multiple times in your applications, possibly nested. Nesting locks causes a fd leak, though, as we only increment the lock count when we already have locked twice, rather than once, and hence when we call lock the second time, instead of increasing the lock count, we open another lock fd. This fixes the code to check if we have locked at all (> 0). There is no practical problem here aside from the fd leak, as closing the new fd releases the lock on the old one due to the weird semantics of fcntl locks.
2018-06-02Dutch manpage translation updateFrans Spiesschaert
Closes: #900602
2018-06-02Dutch program translation updateFrans Spiesschaert
Closes: #900589
2018-05-30Merge branch 'fix/usesteadyclockforprogress' into 'master'Julian Andres Klode
Fix/usesteadyclockforprogress See merge request apt-team/apt!19
2018-05-29apt-key: Pass all instead of gpg-agent to gpgconf --killJulian Andres Klode
We want to kill everything using our temporary directory. LP: #1773992
2018-05-29Use steady clock source for bandwidth limitationDavid Kalnischkies
Using the time of day for this is slightly wrong just like it is for progress, just less visible.
2018-05-28Remove unused time-tracking from http methodDavid Kalnischkies
The Stats method isn't called anywhere, was partly commented out before, but we keep updating the time for it – lets avoid this pointless busywork. Gbp-Dch: Ignore
2018-05-28Use a steady clock source for progress reportingDavid Kalnischkies
Clock changes while apt is running can result in strange reports confusing (and amusing) users. Sadly, to keep the ABI for now the code is a bit more ugly than it would need to be.
2018-05-28Don't show acquire warning for "hidden" componentsDavid Kalnischkies
Commit d7c92411dc1f4c6be098d1425f9c1c075e0c2154 introduced a warning for non-existent files from components not mentioned in Components to hint users at a mispelling or the disappearance of a component. The debian-installer subcomponent isn't actively advertised in the Release file through, so if apt ends up in acquiring a file which doesn't exist for this component (like Translation files) apt would produce a warning: W: Skipping acquire of configured file 'main/debian-installer/i18n/Translation-en' as repository 'http://deb.debian.org/debian buster InRelease' doesn't have the component 'main/debian-installer' (component misspelt in sources.list?) We prevent this in the future by checking if any file exists from this component which results in the warning to be produced still for the intended cases and silence it on the d-i case. This could potentially cause the warning not to be produced in cases it should be if some marginal file remains, but as this message is just a hint and the setup a bit pathological lets ignore it for now. There is also the possibility of having no file present as they would all be 0-length files and being a "hidden" component, but that would be easy to workaround from the repository side and isn't really actively used at the moment in the wild. Closes: #879591
2018-05-28tests: Prevent stunnel4 from binding on IPv6David Kalnischkies
Hardcoding the IPv4 address 127.0.0.1 stops stunnel4 from also binding on IPv6 as well which not only binds on another port but confuses our crude port extraction by splitting on ':' with ::1. Gbp-Dch: Ignore
2018-05-24Merge branch 'pu/timeout-bad-addr-fixes' into 'master'Julian Andres Klode
Pu/timeout bad addr fixes See merge request apt-team/apt!18
2018-05-24Merge branch 'feature/morevolatilesupport' into 'master'Julian Andres Klode
more volatile: build-dep foo.deb/release & show foo.deb See merge request apt-team/apt!14
2018-05-24Merge branch 'feature/byhashviaalturl' into 'master'Julian Andres Klode
Don't force the same mirror for by-hash URIs See merge request apt-team/apt!15
2018-05-24Lower default timeout from 120s to 30sJulian Andres Klode
120s is an insanely high default time out, lower it to 30s to make things a bit nicer.
2018-05-24Handle a missed case of timed out ip addressesJulian Andres Klode
Correctly register timed out IP addresses from a timed out select() call as a bad address so we do not try it again. LP: #1766542
2018-05-21Merge branch 'debugautoremove' into 'master'David Kalnischkies
Increase debug verbosity in `apt-get autoremove` See merge request apt-team/apt!9
2018-05-21Extend test-apt-get-autoremove to check debug outputFilipe Brandenburger
Run `apt-get autoremove -o Debug::pkgAutoRemove=yes` and confirm the logged reason for packages to be kept is correct. Only check for specific debug lines containing 'MarkPackage:' in order to prevent new debug logging to break the test case.
2018-05-21Increase debug verbosity in `apt-get autoremove`Filipe Brandenburger
When running with Debug::pkgAutoRemove=yes, explain why certain packages are being marked, either because they're marked essential/important or because they match the blacklist from APT::NeverAutoRemove. This should help troubleshoot cases where autoremove is not proposing removal of packages expected to be up for removal. Tested manually with `apt-get autoremove -o Debug::pkgAutoRemove=yes`.
2018-05-19Fix hidden test failure if not called via sudoDavid Kalnischkies
id: '': no such user ./test-bug-611729-mark-as-manual: 59: [: Illegal number: Regression-of: 68842e1741a5005b1e3f0a07deffd737c65e3294 Gbp-Dch: Ignore
2018-05-19Reword error for timed out read/write on SOCKS proxyDavid Kalnischkies
Closes: #898886
2018-05-18Russian program translation updateАлексей Шилин
Closes: 898797
2018-05-18Add verb 'be' to NEWS entry for 1.5~beta1annadane
Closes: 892792
2018-05-16Merge branch 'gitignore' into 'master'Julian Andres Klode
Update .gitignore See merge request apt-team/apt!16
2018-05-16Merge branch 'pu/gitlab-ci' into 'master'Julian Andres Klode
Pu/gitlab ci See merge request apt-team/apt!17
2018-05-16Run tests on GitLab CIJulian Andres Klode
Salsa has support for GitLab CI. This introduces a test setup for it, derived from the ones for shippable and travis. It is not optimal yet: The build is run in the test stage. Fixing this requires us to separate test from build dependencies, and storing build/ as an artifact of the build stage; since build and test stage run on different runners with fresh checkouts and images.
2018-05-16tests: Do not expect requested-by if sudo was invoked by rootJulian Andres Klode
If sudo was invoked by root, SUDO_UID will be 0, and apt will not print a Requested-By line.
2018-05-15Update .gitignoreFilipe Brandenburger
2018-05-11Don't force the same mirror for by-hash URIsDavid Kalnischkies
Downloading from the same mirror we got a Release file from makes sense for non-unique URIs as their content changes between mirror states, but if we ask for an index via by-hash we can be sure that we either get the file we wanted or a 404 for which we can perform a fallback for which allows us to pull indexes from different mirror in parallel.
2018-05-11Handle by-hash URI construction more centrallyDavid Kalnischkies
Individual items shouldn't concern themselves with these alternative locations, we can deal with this more efficiently within the infrastructure created for other alternative URIs now avoiding the need to implement this in each item.
2018-05-11Drop alternative URIs we got a hash-based fail fromDavid Kalnischkies
If we got a file but it produced a hash error, mismatched size or similar we shouldn't fallback to alternative URIs as they likely result in the same error. If we can we should instead use another mirror. We used to be a lot stricter by stopping all trys for this file if we got a non-404 (or a hash-based) failure, but that is too hard as we really want to try other mirrors (if we have them) in the hope that they have the expected and correct files.