Age | Commit message (Collapse) | Author |
|
(CVE-2020-3810)
When normalizing ar member names by removing trailing whitespace
and slashes, an out-out-bound read can be caused if the ar member
name consists only of such characters, because the code did not
stop at 0, but would wrap around and continue reading from the
stack, without any limit.
Add a check to abort if we reached the first character in the
name, effectively rejecting the use of names consisting just
of slashes and spaces.
Furthermore, certain error cases in arfile.cc and extracttar.cc have
included member names in the output that were not checked at all and
might hence not be nul terminated, leading to further out of bound reads.
Fixes Debian/apt#111
LP: #1878177
|
|
Prompted-by: Jakub Wilk <jwilk@debian.org>
|
|
This makes it easier to see which headers includes what.
The changes were done by running
git grep -l '#\s*include' \
| grep -E '.(cc|h)$' \
| xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/'
To modify all include lines by adding a space, and then running
./git-clang-format.sh.
|
|
Git-Dch: Ignore
|
|
Reported-By: cppcheck
Git-Dch: Ignore
|
|
Reported-By: gcc
Git-Dch: Ignore
|
|
This way we do not depend on the decompressor programs anymore.
|
|
We aren't and we will not be really compatible again with the previous
stable abi, so lets drop these markers (which never made it into a
released version) for good as they have outlived their intend already.
Git-Dch: Ignore
|
|
Git-Dch: Ignore
|
|
This is an ABI break.
Closes: #742882
|
|
Beside being a bit cleaner it hopefully also resolves oddball problems
I have with high levels of parallel jobs.
Git-Dch: Ignore
Reported-By: iwyu (include-what-you-use)
|
|
Git-Dch: Ignore
Reported-By: gcc -Wcast-qual
|
|
This allows for uncompressed tar files, as the decompressor process will
not get interposed in-between the file descriptors.
|
|
|
|
|
|
When a data.tar.{gz,xz} contains a path name that is exactly
100 characters long, it will get truncated to 99 chars upon
extraction in ExtractTar::Go().
Using all of the 100 available characters for the filename
seems to be new behaviour in gnu tar.
Closes: #689582
Thanks: Mika Eloranta for the testcase!
|
|
Git-Dch: Ignore
|
|
The default constructor of the FileFd will kick in anyway,
which will know that the Fd is invalid while with this explicit
call it must be assumed that the fd is in fact valid, which
might generate errors in the future
|
|
- ensure that in StartGzip the InFd is set to "AutoClose" to ensure
that the pipe is closed when InFd is closed. This fixes a Fd leak
(LP: #985452)
|
|
The breakage is just to big for now, so guard the change with
#ifndef APT_8_CLEANER_HEADERS and be nice to library users
|
|
The breakage is just to big for now, so guard the change with
#ifndef APT_8_CLEANER_HEADERS and be nice to library users
|
|
|
|
|
|
size are pretty unlikely for now, but we need it for deb
packages which could become bigger than 4GB now (LP: #815895)
|
|
|
|
|
|
|
|
list of members.
|
|
|
|
- when tcgetattr() returns non-zero skip all pty magic
(thanks to Simon Richter, closes: #509866)
* apt-inst/contrib/arfile.cc:
- show propper error message for Invalid archive members
|
|
- show propper error message for Invalid archive members
|
|
Patch from Marius Vollmer, thanks! (Closes: #504325)
|
|
- support members ending with '/' as well (thanks to Michal Cihr,
closes: #500988)
|
|
|
|
- fix fd leak for zero size files
|
|
|
|
|
|
- assign the return string value from Find() before calling c_str() on
it, otherwise the string goes out of scope and is deleted
|
|
Patches applied:
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-4
Merge from mainline
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-5
Merge from mainline
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-6
Collapse both pkgAcquire::Run() methods into one, with a default value
* michael.vogt@ubuntu.com--2005/apt--fixes--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-79
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-1
* merged obvious fixes into the tree to make it easy for matt to merge
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-2
* more merges from otavio that looks good/uncritical
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-3
* merged Matts misc-abi-changes tree
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-4
* finalized the changelog for a ubuntu build
* otavio@debian.org--2005/apt--fixes--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-71
* otavio@debian.org--2005/apt--fixes--0--patch-1
Fix comments about the need of xmlto
* otavio@debian.org--2005/apt--fixes--0--patch-2
Fix a compile warning
* otavio@debian.org--2005/apt--fixes--0--patch-3
Sync with apt--main--0--patch-76
* otavio@debian.org--2005/apt--fixes--0--patch-4
Sync with apt--main--0--patch-78
* otavio@debian.org--2005/apt--fixes--0--patch-5
Add fixes that was wrongly included on DDTP changes.
* otavio@debian.org--2005/apt--fixes--0--patch-8
Add information about the other fixes include on this branch now.
* otavio@debian.org--2005/apt--fixes--0--patch-9
Merge last changes from apt--main--0.
* otavio@debian.org--2005/apt--fixes--0--patch-10
Fix warnings about min/max change in gcc-4.0
* otavio@debian.org--2005/apt--fixes--0--patch-11
Fix remaning warnings while compiling gcc-4.0
* otavio@debian.org--2005/apt--fixes--0--patch-12
Add changelog entry about the fixes for warnings while compiling using GCC 4.0 compiler.
|
|
|
|
Patches applied:
* apt@arch.ubuntu.com/apt--experimental--0.6--base-0
tag of apt@arch.ubuntu.com/apt--MAIN--0--patch-1190
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-1
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-2
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-3
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-4
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-5
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-6
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-7
Merge working copy of v0.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-8
0.6.0 is headed for experimental, not unstable
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-9
Date
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-10
Update LIB_APT_PKG_MAJOR
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-11
- Fix a heap corruption bug in pkgSrcRecords::pkgSrcRec...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-12
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-13
* Merge apt 0.5.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-14
* Rearrange Release file authentication code to be more...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-15
* Convert distribution "../project/experimental" to "ex...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-16
Merge 1.11
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-17
Merge 1.7
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-18
Merge 1.10
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-19
* Make a number of Release file errors into warnings; f...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-20
* Add space between package names when multiple unauthe...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-21
* Provide apt-key with a secret keyring and a trustdb, ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-22
* Fix typo in apt-key(8) (standard input is '-', not '/')
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-23
0.6.2
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-24
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-25
* Fix MetaIndexURI for flat ("foo/") sources
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-26
0.6.3
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-27
* Use the top-level Release file in LoadReleaseInfo, ra...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-28
0.6.4
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-29
Clarify
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-30
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-31
* Fix display of unauthenticated packages when they are...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-32
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-33
* Restore the ugly hack I removed from indexRecords::Lo...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-34
0.6.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-35
* Forgot to revert part of the changes to tagfile in 0....
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-36
* Add a config option and corresponding command line option
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-37
0.6.8
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-38
hopefully avoid more segfaults
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-39
XXX
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-40
* Another tagfile workaround
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-41
* Use "Codename" (woody, sarge, etc.) to supply the val...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-42
* Support IMS requests of Release.gpg and Release
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-43
* Have pkgAcquireIndex calculate an MD5 sum if one is n...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-44
* Merge 0.5.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-45
apt (0.6.13) experimental; urgency=low
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-46
0.6.13
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-47
Merge 0.5.20
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-48
The source list works a bit differently in 0.6; fix the...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-49
* s/Debug::Acquire::gpg/&v/
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-50
* Honor the [vendor] syntax in sources.list again (thou...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-51
* Don't ship vendors.list(5) since it isn't used yet
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-52
* Revert change from 0.6.10; it was right in the first ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-53
* Fix some cases where the .gpg file could be left in p...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-54
Print a warning if gnupg is not installed
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-55
* Handle more IMS stuff correctly
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-56
0.6.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-57
* Merge 0.5.21
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-58
* Add new Debian Archive Automatic Signing Key to the d...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-59
0.6.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-60
* Merge 0.5.22
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-61
* Convert apt-key(8) to docbook XML
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-62
Merge 0.5.23
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-63
Remove bogus partial 0.5.22 changelog entry
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-64
Make the auth warning a bit less redundant
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-65
* Merge 0.5.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-66
* Make the unauthenticated packages prompt more intuiti...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-67
Merge 0.5.25
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-68
* Remove obsolete pkgIterator::TargetVer() (Closes: #230159)
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-69
* Reverse test in CheckAuth to match new prompt (Closes...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-70
Update version
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-71
Fix backwards sense of CheckAuth prompt
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-72
0.6.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-73
Close bug
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-74
* Fix handling of two-part sources for sources.list deb...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
0.6.25
* apt@packages.debian.org/apt--authentication--0--base-0
tag of apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
* apt@packages.debian.org/apt--authentication--0--patch-1
Michael Vogt's merge of apt--experimental--0 onto apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-2
Merge from apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-3
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-4
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-5
Update version number in configure.in
* apt@packages.debian.org/apt--authentication--0--patch-6
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-7
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-8
Merge from mvo's branch
* apt@packages.debian.org/apt--authentication--0--patch-9
Merge from mvo's tree
* apt@packages.debian.org/apt--authentication--0--patch-10
Merge from mvo
* apt@packages.debian.org/apt--authentication--0--patch-11
Fix permissions AGAIN
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--base-0
tag of michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--patch-1
* star-merged matt's changes (bz2 support for data-members in debs)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-1
tag of apt@packages.debian.org/apt--authentication--0--base-0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-2
merged "tla apply-delta -A foo@ apt@arch.ubuntu.com/apt--MAIN--0--patch-1190 apt@arch.ubuntu.com/apt--MAIN--0--patch-1343" and cleaned up conflicts
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-3
* missing bits from the merge added
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-4
* star-merged with apt@packages.debian.org/apt--main--0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-5
* tree-synced to the apt--authentication tree
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-6
* use the ubuntu-key in this version
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-7
* imported the patches from mdz
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-8
* apt-get update --print-uris works now as before (fallback to 0.5.x behaviour)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-9
* fix for the "if any source unauthenticated, all other sources are unauthenticated too" problem
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-10
* reworked the "--print-uris" patch. it no longer uses: "APT::Get::Print-URIs" in the library
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-11
* version of the library set to 3.6
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* changelog finallized, will upload to people.ubuntulinux.org/~mvo/apt-authentication
* michael.vogt@canonical.com--2004/apt--main-authentication--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-22
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-1
* star-merge from apt--experimental--0.6
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-2
* compile failure fix for methods/http.cc, po-file fixes
|
|
Patches applied:
* apt@packages.debian.org/apt--bzip2-debs--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-30
* apt@packages.debian.org/apt--bzip2-debs--0--patch-1
Create baz branch
* apt@packages.debian.org/apt--bzip2-debs--0--patch-2
Implement data.tar.bz2 support
|
|
Author: mdz
Date: 2004-01-07 20:39:37 GMT
* Patch from Eric Wong <normalperson@yhbt.net> to include apt18n.h after
other headers to avoid breaking locale.h when setlocale() is defined
as an empty macro (Closes: #226509)
|
|
Author: mdz
Date: 2003-07-18 15:35:23 GMT
- Fix typo in tar error message (Closes: #191424)
|
|
Author: mdz
Date: 2003-07-18 14:15:11 GMT
- Clean up some string handling, patch from Peter Lundkvist
<p.lundkvist@telia.com> (Closes: #192225)
|
|
Author: doogie
Date: 2003-02-10 00:36:12 GMT
i18n stuff.
|
|
Author: doogie
Date: 2002-11-11 06:55:50 GMT
Some more g++-3.2 fixes.
|
|
Author: tausq
Date: 2002-09-20 05:30:33 GMT
revert my last patch.... see bts :)
|
|
Author: tausq
Date: 2002-09-20 04:42:25 GMT
fix for #161593
|
|
Author: jgg
Date: 2002-03-26 07:38:57 GMT
Use std C++ header names for includes
|