| Age | Commit message (Collapse) | Author |
|---|
|
|
|
The integer overflow was detected by DonKult who added a check like this:
(std::numeric_limits<decltype(Itm.Size)>::max() - (2 * sizeof(Block)))
Which deals with the code as is, but also still is a fairly big limit,
and could become fragile if we change the code. Let's limit our file
sizes to 128 GiB, which should be sufficient for everyone.
Original comment by DonKult:
The code assumes that it can add sizeof(Block)-1 to the size of the item
later on, but if we are close to a 64bit overflow this is not possible.
Fixing this seems too complex compared to just ensuring there is enough
room left given that we will have a lot more problems the moment we will
be acting on files that large as if the item is that large, the (valid)
tar including it probably doesn't fit in 64bit either.
|
|
Like the code in arfile.cc, MemControlExtract also has buffer
overflows, in code allocating memory for parsing control files.
Specify an upper limit of 64 MiB for control files to both protect
against the Size overflowing (we allocate Size + 2 bytes), and
protect a bit against control files consisting only of zeroes.
|
|
Tarballs have long names and long link targets structured by a
special tar header with a GNU extension followed by the actual
content (padded to 512 bytes). Essentially, think of a name as
a special kind of file.
The limit of a file size in a header is 12 bytes, aka 10**12
or 1 TB. While this works OK-ish for file content that we stream
to extractors, we need to copy file names into memory, and this
opens us up to an OOM DoS attack.
Limit the file name size to 1 MiB, as libarchive does, to make
things safer.
|
|
GHSL-2020-169: This first hunk adds a check that we have more files
left to read in the file than the size of the member, ensuring that
(a) the number is not negative, which caused the crash here and (b)
ensures that we similarly avoid other issues with trying to read too
much data.
GHSL-2020-168: Long file names are encoded by a special marker in
the filename and then the real filename is part of what is normally
the data. We did not check that the length of the file name is within
the length of the member, which means that we got a overflow later
when subtracting the length from the member size to get the remaining
member size.
The file createdeb-lp1899193.cc was provided by GitHub Security Lab
and reformatted using apt coding style for inclusion in the test
case, both of these issues have an automated test case in
test/integration/test-ubuntu-bug-1899193-security-issues.
LP: #1899193
|
|
|
|
|
|
|
|
(CVE-2020-3810)
When normalizing ar member names by removing trailing whitespace
and slashes, an out-out-bound read can be caused if the ar member
name consists only of such characters, because the code did not
stop at 0, but would wrap around and continue reading from the
stack, without any limit.
Add a check to abort if we reached the first character in the
name, effectively rejecting the use of names consisting just
of slashes and spaces.
Furthermore, certain error cases in arfile.cc and extracttar.cc have
included member names in the output that were not checked at all and
might hence not be nul terminated, leading to further out of bound reads.
Fixes Debian/apt#111
LP: #1878177
|
|
|
|
We need to unlock in the reverse order of locking in order
to get useful behavior.
LP: #1829860
|
|
When accessing repository protected by TLS mutual auth, apt may receive
a "re-handshake" request from the server, which must be handled
in order for download to proceed.
This situation arises when the server requests a client certificate
based on the resource path provided in the GET request, after the inital
handshake in UnwrapTLS() has already occurred, and a secure connection
has been established.
This issue has been observed with Artifactory-backed Debian repository.
To address the issue, split TLS handshake code out into its own method
in TlsFd, and call it when GNUTLS_E_REHANDSHAKE error is received.
Signed-off-by: Michael Zhivich <mzhivich@akamai.com>
(merged from Debian/apt#93)
LP: #1829861
|
|
Closes: #929290
|
|
Closes: #926614
|
|
Github-Fixes: #89
(cherry picked from commit 46ef1a3e8c8895c53ff1e4787dc96d4f6c5dba27)
|
|
The value as shown in the NEWS file (not in the code) has a typo in
which just a "/" and ":" are swapped.
Closes: #917986
(cherry picked from commit 4c27ca80e2de06ab0fd058349f9813b60824cf04)
|
|
|
|
LP: #1821640
(cherry picked from commit 507124fd81066536c7c01a2039fcc6ee9f02a234)
|
|
As long as we are running dpkg, keep an inhibitor that
blocks us from shutting down.
LP: #1820886
|
|
Test from the fix for the regression in trusty for LP #1821308.
|
|
|
|
The missing auth.conf.d directory was an oversight, it should
be there.
LP: #1818996
|
|
Closes: #923834
|
|
Closes: #923728
|
|
Bad accident. Accidents happen.
|
|
[l10n] Update Italian translation
See merge request apt-team/apt!53
|
|
Add explicit message for unsupported binary signature
See merge request apt-team/apt!52
|
|
Signed-off-by: Milo Casagrande <milo@milo.name>
|
|
Verifying the content of Release.gpg made us fail on binary signatures
which were never officially supported (apt-secure manpage only documents
only the generation of ASCII armored), but silently accepted by gpgv as
we passed it on unchecked before.
The binary format is complex and is itself split into old and new
formats so adding support for this would not only add lots of code but
also a good opportunity for bugs and dubious benefit.
Reporting this issue explicitly should help repository creators figure
out the problem faster than the default NODATA message hinting at
captive portals.
Given that the binary format has no file magic or any other clear and
simple indication that this is a detached signature we guess based on
the first two bits only – and by that only supporting the "old" binary
format which seems to be the only one generated by gnupg in this case.
References: e2965b0b6bdd68ffcad0e06d11755412a7e16e50
Closes: #921685
|
|
|
|
These will run in our frontends currently, and can show
messages. For the sake of keeping the implementation
complexity low, a non-success variant of Post-Invoke
is not provided.
LP: #1815761
|
|
This is run after an update has been run and only if status on the
new cache has been shown, allowing scripts to display their own
status messages.
LP: #1815760
|
|
|
|
Seems we missed those before.
|
|
|
|
Closes: #921941
Reviewed-By: Debian L10n Dutch <debian-l10n-dutch@lists.debian.org>
|
|
Closes: #921934
Reviewed-By: Debian L10n Dutch <debian-l10n-dutch@lists.debian.org>
|
|
|
|
Closes: #921830
Thanks: Vladimir Zhbanov <vzhbanov@gmail.com>
|
|
|
|
Last entry included an item that was not in the release,
and the one before that was signed with the wrong email
address.
|
|
This is a special case here, a best effort write, so there's no
point in having warnings about it for every method.
|
|
|
|
Mistakingly used #define instead of #cmakedefine
|
|
|
|
This slightly improves performance, as std::to_string() (as in gcc's
libstdc++) avoids a heap allocation. This is surprisingly performance
critical code, so we might want to improve things further in 1.9
by manually calculating the string - that would also get rid of issues
with locales changing string formatting, if any.
|
|
This fixes the build on kfreebsd-amd64, and due to the detection
of sse4.2, should also enable the sse4.2 on i386.
|
|
This is safe here, as the code ensures that the file is flushed
before it is being used. The next series should probably make
GetTempFile() buffer writes by default.
|
|
A pin of -32768 overrides any other, disables repo
See merge request apt-team/apt!40
|
|
This new field allows a repository to declare that access to
packages requires authorization. The current implementation will
set the pin to -32768 if no authorization has been provided in
the auth.conf(.d) files.
This implementation is suboptimal in two aspects:
(1) A repository should behave more like NotSource repositories
(2) We only have the host name for the repository, we cannot use
paths yet.
- We can fix those after an ABI break.
The code also adds a check to acquire-item.cc to not use the
specified repository as a download source, mimicking NotSource.
|
