summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-02-04gpgv: Use buffered writes for splitting clearsigned filesJulian Andres Klode
This is safe here, as the code ensures that the file is flushed before it is being used. The next series should probably make GetTempFile() buffer writes by default.
2019-02-04Merge branch 'pu/dead-pin' into 'master'Julian Andres Klode
A pin of -32768 overrides any other, disables repo See merge request apt-team/apt!40
2019-02-01Add a Packages-Require-Authorization Release file fieldJulian Andres Klode
This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource.
2019-02-01Introduce experimental 'never' pinning for sourcesJulian Andres Klode
This allows disabling a repository by pinning it to 'never', which is internally translated to a value of -32768 (or whatever the minimum of short is). This overrides any other pin for that repository. It can be used to make sure certain sources are never used; for example, in unattended-upgrades. To prevent semantic changes to existing files, we substitute min + 1 for every pin-priority: <min>. This is a temporary solution, as we are waiting for an ABI break. To add pins with that value, the special Pin-Priority "never" may be used for now. It's unclear if that will persist, or if the interface will change eventually.
2019-02-01Merge branch 'pu/refuseunsignedlines' into 'master'Julian Andres Klode
Fail if InRelease or Release.gpg contain unsigned lines See merge request apt-team/apt!45
2019-02-01French program translation updateBaptiste Jammet
Closes: #921008 Reviewed-By: Debian L10n French <debian-l10n-french@lists.debian.org>
2019-02-01Russian program translation updateАлексей Шилин
Closes: #921011
2019-02-01Step over empty sections in TagFiles with commentsDavid Kalnischkies
Implementing a parser with recursion isn't the best idea, but in practice we should get away with it for the time being to avoid needless codechurn. Closes: #920317 #921037
2019-02-01Drop buffered writing from clearsigned message extractionDavid Kalnischkies
It is dropped in the merged code, but the extraction of the clearsigned message code was the only one who had it previously, so the short-desc explains the change from a before-after merge of the branch PoV. It would make sense to enable it, but as we aren't in a time critical paths here we can delay this for after buster to avoid problems. References: 73e3459689c05cd62f15c29d2faddb0fc215ef5e Suggested-By: Julian Andres Klode
2019-02-01Avoid boolean flags by splitting writeTo functionsDavid Kalnischkies
Suggested-By: Julian Andres Klode Gbp-Dch: Ignore
2019-01-31Merge branch 'pu/verify-method-messages-2' into 'master'Julian Andres Klode
Verify data being sent by methods in SendMessage() See merge request apt-team/apt!48
2019-01-31Disable deprecated methods (ftp, rsh, ssh) by defaultJulian Andres Klode
These methods are not supposed to be used anymore, they are not actively maintained and may hence contain odd bugs. Fixes !49
2019-01-30Verify data being sent by methods in SendMessage()Julian Andres Klode
As a follow-up for CVE-2019-3462, add checks similar to those for redirect to the central SendMessage() function. The checks are a bit more relaxed for values - they may include newlines and unicode characters (newlines get rewritten, so are safe). For keys and the message header, the checks are far more strict: They may only contain alphanumerical characters, the hyphen-minus, and the horizontal space. In case the method tries to send anything else, we construct a legal 400 URI Failed response, and send that. We specifically do not include the item URI, in case it has been compromised (that would cause infinite recursion).
2019-01-29Reuse APT::StringView more in LineBufferDavid Kalnischkies
No effective change in behaviour, just simplifying and reusing code. Suggested-By: Julian Andres Klode Gbp-Dch: Ignore
2019-01-29Rework ifs to use not instead of == false/trueDavid Kalnischkies
No change in the logic itself, just dropping "== true", replacing "== false" with not and moving lines around to make branches more obvious. Suggested-By: Julian Andres Klode Gbp-Dch: Ignore
2019-01-29Merge branch 'trivial-epipe-fix' into 'master'Julian Andres Klode
private-json-hooks.cc: deal with EPIPE See merge request apt-team/apt!47
2019-01-29private-json-hooks.cc: deal with EPIPEMichael Vogt
While running our CI we noticed that sometimes we see an error from the new json hooks code. The error message is: ``` E: Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true: Broken pipe ``` when purging the snapd package which provides the hook. This indicates that we should probably also consider EPIPE not an error (just like we do for ECONNRESET). This PR does exactly this.
2019-01-28Refuse files with lines unexpectedly starting with a dashDavid Kalnischkies
We support dash-encoding even if we don't really work with files who would need it as implementations are free to encode every line, but otherwise a line starting with a dash must either be a header we parse explicitly or the file is refused. This is against the RFC which says clients should warn on such files, but given that we aren't expecting any files with dash-started lines to begin with this looks a lot like a we should not continue to touch the file as it smells like an attempt to confuse different parsers by "hiding" headers in-between others. The other slightly more reasonable explanation would be an armor header key starting with a dash, but no existing key does that and it seems unlikely that this could ever happen. Also, it is recommended that clients warn about unknown keys, so new appearance is limited.
2019-01-28Use more abstraction to handle the current line bufferDavid Kalnischkies
This is C++, so we can use a bit more abstraction to let the code look a tiny bit nicer hopefully improving readability a bit. Gbp-Dch: Ignore
2019-01-28Explicitly remove the whitespaces defined by RFCDavid Kalnischkies
RFC 4880 section 7.1 "Dash-Escaped Text" at the end defines that only space and tab are allowed, so we should remove only these even if due to use complaining (or now failing) you can't really make use of it. Note that strrstrip was removing '\r\n\t ', not other whitespaces like \v or \f and another big reason to do it explicitly here now is to avoid that a future change adding those could have unintended consequences.
2019-01-27Merge branch 'apt-reinstall' into 'master'Julian Andres Klode
Add a "reinstall" command as an alias for "install --reinstall". See merge request apt-team/apt!46
2019-01-27Add a "reinstall" command as an alias for "install --reinstall".Josh Triplett
aptitude has a similar "reinstall" command for precedent.
2019-01-24Merge and reuse tmp file handling across the boardDavid Kalnischkies
Having many rather similar implementations especially if one is exported while others aren't (and the rest of it not factored out at all) seems suboptimal.
2019-01-23Fail on non-signature lines in Release.gpgDavid Kalnischkies
The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can contain additional content beside the expected detached signature(s). We were passing the file unchecked to gpgv which ignores these extras without complains, so we reuse the same line-reading implementation we use for InRelease splitting to detect if a Release.gpg file contains unexpected data and fail in this case given that we in the previous commit we established that we fail in the similar InRelease case now.
2019-01-23Fail instead of warn for unsigned lines in InReleaseDavid Kalnischkies
The warnings were introduced 2 years ago without any reports from the wild about them actually appearing for anyone, so now seems to be an as good time as any to switch them to errors. This allows rewritting the code by failing earlier instead of trying to keep going which makes the diff a bit hard to follow but should help simplifying reasoning about it. References: 6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3
2019-01-23Release 1.8.0~beta11.8.0_beta1Julian Andres Klode
2019-01-22Merge tag '1.8.0_alpha3.1'Julian Andres Klode
apt Debian release 1.8.0~alpha3.1
2019-01-22Release 1.8.0~alpha3.11.8.0_alpha3.1Julian Andres Klode
2019-01-22SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 (cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b)
2019-01-22Merge branch 'pu/release-preparations'Julian Andres Klode
2019-01-22debian/control: Drop libcurl4-gnutls-dev build dependencyJulian Andres Klode
Not needed since quite some time.
2019-01-22Merge branch 'pu/gpgvsignedby' into 'master'Julian Andres Klode
Report keys used to sign file from gpgv method to acquire system See merge request apt-team/apt!44
2019-01-22SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
2019-01-22doc/apt-verbatim.ent: Debian buster is stableJulian Andres Klode
Move everything up one "old", and change testing to be bullseye.
2019-01-22CI: Use debian:buster as test base imageJulian Andres Klode
This prepares us for the upcoming buster release, as buster is the main release series for this series (the other being Ubuntu disco).
2019-01-22doc/apt-verbatim.ent: Point ubuntu-codename to discoJulian Andres Klode
LP: #1812696
2019-01-22Communicate back which key(s) were used for signingDavid Kalnischkies
Telling the acquire system which keys caused the gpgv method to succeed allows us for now just a casual check if the gpgv method really executed catching bugs like CVE-2018-0501, but we will make use of the information for better features in the following commits.
2019-01-22Refactor internal Signers information storage in gpgvDavid Kalnischkies
Having a method take a bunch of string vectors is bad style, so we change this to a wrapping struct and adapt the rest of the code brushing it up slightly in the process, which results even in a slightly "better" debug output, no practical change otherwise. Gbp-Dch: Ignore
2019-01-22bash completion: add keysVasya Novikov
2019-01-22Merge branch 'patch-1' of github.com:techtonik/aptJulian Andres Klode
2019-01-22Merge branch 'patch-2' of github.com:techtonik/aptJulian Andres Klode
2019-01-22Remove `register` keywordKhem Raj
In C++17 `register` keyword was removed. Current gcc 8.1.0 produces following warning if `-std=c++17` flag is used: warning: ISO C++17 does not allow 'register' storage class specifier [-Wregister] GCC almost completely ignores `register` keyword, with rare exception of `-O0` when additional copy from/to stack may be generated. For simplicity of the codebase it is better to just remove this problematic keyword where it is not strictly required. See: http://en.cppreference.com/w/cpp/language/storage_duration Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-01-22Merge branch 'pu/minimize-manual' into 'master'Julian Andres Klode
apt-mark minimize-manual See merge request apt-team/apt!39
2019-01-22Merge branch 'master' into 'master'Julian Andres Klode
zh_CN.po: Update Simplified Chinese programs translation. See merge request apt-team/apt!43
2019-01-12zh_CN.po: Update Simplified Chinese programs translation.Mo Zhou
2019-01-10apt-mark: Introduce minimize-manualJulian Andres Klode
This visits dependencies of all manually installed metapackages, as determined by APT::Never-MarkAuto-Sections, and marks them as automatically installed. It can be used to clean up autoflags after a d-i install, for example.
2019-01-10Generalize %s does not take any argumentsJulian Andres Klode
This used to be "apt-cache stats does not take any arguments", but replace "apt-cache stats" with "%s" so we can reuse it for other commands. Gbp-Dch: ignore
2019-01-07apt-private: Export some functions for apt-markJulian Andres Klode
We need to show a yes/no prompt in minimize-manual, and pretty package names, so export them here. Gbp-Dch: ignore
2019-01-05hash32: Tighten to multiversion to x86-64 ELF and use uint32_tJulian Andres Klode
2019-01-04Merge branch 'pu/speedups' into 'master'Julian Andres Klode
Pu/speedups See merge request apt-team/apt!42