summaryrefslogtreecommitdiff
path: root/apt-inst/contrib
AgeCommit message (Collapse)Author
2020-05-12SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation ↵Julian Andres Klode
(CVE-2020-3810) When normalizing ar member names by removing trailing whitespace and slashes, an out-out-bound read can be caused if the ar member name consists only of such characters, because the code did not stop at 0, but would wrap around and continue reading from the stack, without any limit. Add a check to abort if we reached the first character in the name, effectively rejecting the use of names consisting just of slashes and spaces. Furthermore, certain error cases in arfile.cc and extracttar.cc have included member names in the output that were not checked at all and might hence not be nul terminated, leading to further out of bound reads. Fixes Debian/apt#111 LP: #1878177
2018-05-07Remove obsolete RCS keywordsGuillem Jover
Prompted-by: Jakub Wilk <jwilk@debian.org>
2017-07-12Reformat and sort all includes with clang-formatJulian Andres Klode
This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh.
2015-11-27add messages to our deprecation warnings in libaptDavid Kalnischkies
Git-Dch: Ignore
2015-11-05apply various suggestions made by cppcheckDavid Kalnischkies
Reported-By: cppcheck Git-Dch: Ignore
2015-08-31fix some unused parameter/variable warningsDavid Kalnischkies
Reported-By: gcc Git-Dch: Ignore
2015-08-27Use compressor support from FileFd for ExtractTar instead of programsJulian Andres Klode
This way we do not depend on the decompressor programs anymore.
2015-08-10remove the compatibility markers for 4.13 abiDavid Kalnischkies
We aren't and we will not be really compatible again with the previous stable abi, so lets drop these markers (which never made it into a released version) for good as they have outlived their intend already. Git-Dch: Ignore
2014-11-08guard ABI changes for LFS in apt-instDavid Kalnischkies
Git-Dch: Ignore
2014-07-08Fix ar and tar code to be LFS-safeGuillem Jover
This is an ABI break. Closes: #742882
2014-03-13cleanup headers and especially #includes everywhereDavid Kalnischkies
Beside being a bit cleaner it hopefully also resolves oddball problems I have with high levels of parallel jobs. Git-Dch: Ignore Reported-By: iwyu (include-what-you-use)
2014-03-13warning: cast from type A to type B casts away qualifiers [-Wcast-qual]David Kalnischkies
Git-Dch: Ignore Reported-By: gcc -Wcast-qual
2014-02-22ExtractTar: Allow an empty decompressor programGuillem Jover
This allows for uncompressed tar files, as the decompressor process will not get interposed in-between the file descriptors.
2014-02-22Fix typos in documentation (codespell)Michael Vogt
2013-10-07fix libapt-inst for >2G debs (closes: #725483)Michael Vogt
2013-09-12don't truncate 100 char long paths in tar extractionOskari Saarenmaa
When a data.tar.{gz,xz} contains a path name that is exactly 100 characters long, it will get truncated to 99 chars upon extraction in ExtractTar::Go(). Using all of the 100 available characters for the filename seems to be new behaviour in gnu tar. Closes: #689582 Thanks: Mika Eloranta for the testcase!
2013-06-24delete Memb on read-error in arfileNiels Thykier
Git-Dch: Ignore
2013-06-09don't explicitly init ExtractTar InFd with invalid fdDavid Kalnischkies
The default constructor of the FileFd will kick in anyway, which will know that the Fd is invalid while with this explicit call it must be assumed that the fd is in fact valid, which might generate errors in the future
2012-04-19* apt-inst/contrib/extracttar.cc:Michael Vogt
- ensure that in StartGzip the InFd is set to "AutoClose" to ensure that the pipe is closed when InFd is closed. This fixes a Fd leak (LP: #985452)
2011-12-13revert 2184.1.3: forward declaration instead of headersDavid Kalnischkies
The breakage is just to big for now, so guard the change with #ifndef APT_8_CLEANER_HEADERS and be nice to library users
2011-12-13revert 2184.1.2: do not pollute namespace in headersDavid Kalnischkies
The breakage is just to big for now, so guard the change with #ifndef APT_8_CLEANER_HEADERS and be nice to library users
2011-09-19use forward declaration in headers if possible instead of includesDavid Kalnischkies
2011-09-19do not pollute namespace in the headers with using (Closes: #500198)David Kalnischkies
2011-09-13Support large files in the complete toolset. Indexes of thisDavid Kalnischkies
size are pretty unlikely for now, but we need it for deb packages which could become bigger than 4GB now (LP: #815895)
2011-09-13reorder includes: add <config.h> if needed and include it at firstDavid Kalnischkies
2011-05-17remove Size >= 0 check as Itm.Size is an unsigned variable (clang warning)David Kalnischkies
2010-12-03Permit base256 encoded value in the numeric field of tar header.Nobuhiro Hayashi
2010-03-12apt-inst/contrib/arfile.h: Add public ARArchive::Members() which returns the ↵Julian Andres Klode
list of members.
2010-01-31merge r1966..1967 from lp:~donkult/apt/sidMichael Vogt
2009-09-24* apt-pkg/deb/dpkgpm.cc:Michael Vogt
- when tcgetattr() returns non-zero skip all pty magic (thanks to Simon Richter, closes: #509866) * apt-inst/contrib/arfile.cc: - show propper error message for Invalid archive members
2009-09-24* apt-inst/contrib/arfile.cc:Michael Vogt
- show propper error message for Invalid archive members
2009-08-09[apt-inst/contrib/arfile.cc] use sizeof instead strlenDavid Kalnischkies
Patch from Marius Vollmer, thanks! (Closes: #504325)
2008-12-17* apt-inst/contrib/arfile.cc:Michael Vogt
- support members ending with '/' as well (thanks to Michal Cihr, closes: #500988)
2008-10-28fix various -Wall warningsMichael Vogt
2007-08-02* apt-inst/contrib/extracttar.cc:Michael Vogt
- fix fd leak for zero size files
2007-06-08* remove all the remaining #pragma implementationMichael Vogt
2006-10-02* removed the pragma messMichael Vogt
2006-07-25* apt-inst/contrib/extracttar.cc:Michael Vogt
- assign the return string value from Find() before calling c_str() on it, otherwise the string goes out of scope and is deleted
2005-05-23* merged with my apt--fixes--0 branchMichael Vogt
Patches applied: * apt@packages.debian.org/apt--misc-abi-changes--0--patch-4 Merge from mainline * apt@packages.debian.org/apt--misc-abi-changes--0--patch-5 Merge from mainline * apt@packages.debian.org/apt--misc-abi-changes--0--patch-6 Collapse both pkgAcquire::Run() methods into one, with a default value * michael.vogt@ubuntu.com--2005/apt--fixes--0--base-0 tag of apt@packages.debian.org/apt--main--0--patch-79 * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-1 * merged obvious fixes into the tree to make it easy for matt to merge * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-2 * more merges from otavio that looks good/uncritical * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-3 * merged Matts misc-abi-changes tree * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-4 * finalized the changelog for a ubuntu build * otavio@debian.org--2005/apt--fixes--0--base-0 tag of apt@packages.debian.org/apt--main--0--patch-71 * otavio@debian.org--2005/apt--fixes--0--patch-1 Fix comments about the need of xmlto * otavio@debian.org--2005/apt--fixes--0--patch-2 Fix a compile warning * otavio@debian.org--2005/apt--fixes--0--patch-3 Sync with apt--main--0--patch-76 * otavio@debian.org--2005/apt--fixes--0--patch-4 Sync with apt--main--0--patch-78 * otavio@debian.org--2005/apt--fixes--0--patch-5 Add fixes that was wrongly included on DDTP changes. * otavio@debian.org--2005/apt--fixes--0--patch-8 Add information about the other fixes include on this branch now. * otavio@debian.org--2005/apt--fixes--0--patch-9 Merge last changes from apt--main--0. * otavio@debian.org--2005/apt--fixes--0--patch-10 Fix warnings about min/max change in gcc-4.0 * otavio@debian.org--2005/apt--fixes--0--patch-11 Fix remaning warnings while compiling gcc-4.0 * otavio@debian.org--2005/apt--fixes--0--patch-12 Add changelog entry about the fixes for warnings while compiling using GCC 4.0 compiler.
2005-03-06Bring consistency to the use of capitals in programs messagesChristian Perrier
2004-12-13Merge apt--authentication--0Matt Zimmerman
Patches applied: * apt@arch.ubuntu.com/apt--experimental--0.6--base-0 tag of apt@arch.ubuntu.com/apt--MAIN--0--patch-1190 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-1 Creation of branch v0_6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-2 Creation of branch v0_6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-3 Creation of branch v0_6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-4 Creation of branch v0_6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-5 Creation of branch v0_6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-6 Creation of branch v0_6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-7 Merge working copy of v0.6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-8 0.6.0 is headed for experimental, not unstable * apt@arch.ubuntu.com/apt--experimental--0.6--patch-9 Date * apt@arch.ubuntu.com/apt--experimental--0.6--patch-10 Update LIB_APT_PKG_MAJOR * apt@arch.ubuntu.com/apt--experimental--0.6--patch-11 - Fix a heap corruption bug in pkgSrcRecords::pkgSrcRec... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-12 Resynch * apt@arch.ubuntu.com/apt--experimental--0.6--patch-13 * Merge apt 0.5.17 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-14 * Rearrange Release file authentication code to be more... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-15 * Convert distribution "../project/experimental" to "ex... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-16 Merge 1.11 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-17 Merge 1.7 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-18 Merge 1.10 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-19 * Make a number of Release file errors into warnings; f... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-20 * Add space between package names when multiple unauthe... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-21 * Provide apt-key with a secret keyring and a trustdb, ... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-22 * Fix typo in apt-key(8) (standard input is '-', not '/') * apt@arch.ubuntu.com/apt--experimental--0.6--patch-23 0.6.2 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-24 Resynch * apt@arch.ubuntu.com/apt--experimental--0.6--patch-25 * Fix MetaIndexURI for flat ("foo/") sources * apt@arch.ubuntu.com/apt--experimental--0.6--patch-26 0.6.3 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-27 * Use the top-level Release file in LoadReleaseInfo, ra... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-28 0.6.4 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-29 Clarify * apt@arch.ubuntu.com/apt--experimental--0.6--patch-30 * Move the authentication check into a separate functio... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-31 * Fix display of unauthenticated packages when they are... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-32 * Move the authentication check into a separate functio... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-33 * Restore the ugly hack I removed from indexRecords::Lo... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-34 0.6.6 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-35 * Forgot to revert part of the changes to tagfile in 0.... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-36 * Add a config option and corresponding command line option * apt@arch.ubuntu.com/apt--experimental--0.6--patch-37 0.6.8 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-38 hopefully avoid more segfaults * apt@arch.ubuntu.com/apt--experimental--0.6--patch-39 XXX * apt@arch.ubuntu.com/apt--experimental--0.6--patch-40 * Another tagfile workaround * apt@arch.ubuntu.com/apt--experimental--0.6--patch-41 * Use "Codename" (woody, sarge, etc.) to supply the val... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-42 * Support IMS requests of Release.gpg and Release * apt@arch.ubuntu.com/apt--experimental--0.6--patch-43 * Have pkgAcquireIndex calculate an MD5 sum if one is n... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-44 * Merge 0.5.18 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-45 apt (0.6.13) experimental; urgency=low * apt@arch.ubuntu.com/apt--experimental--0.6--patch-46 0.6.13 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-47 Merge 0.5.20 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-48 The source list works a bit differently in 0.6; fix the... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-49 * s/Debug::Acquire::gpg/&v/ * apt@arch.ubuntu.com/apt--experimental--0.6--patch-50 * Honor the [vendor] syntax in sources.list again (thou... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-51 * Don't ship vendors.list(5) since it isn't used yet * apt@arch.ubuntu.com/apt--experimental--0.6--patch-52 * Revert change from 0.6.10; it was right in the first ... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-53 * Fix some cases where the .gpg file could be left in p... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-54 Print a warning if gnupg is not installed * apt@arch.ubuntu.com/apt--experimental--0.6--patch-55 * Handle more IMS stuff correctly * apt@arch.ubuntu.com/apt--experimental--0.6--patch-56 0.6.17 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-57 * Merge 0.5.21 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-58 * Add new Debian Archive Automatic Signing Key to the d... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-59 0.6.18 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-60 * Merge 0.5.22 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-61 * Convert apt-key(8) to docbook XML * apt@arch.ubuntu.com/apt--experimental--0.6--patch-62 Merge 0.5.23 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-63 Remove bogus partial 0.5.22 changelog entry * apt@arch.ubuntu.com/apt--experimental--0.6--patch-64 Make the auth warning a bit less redundant * apt@arch.ubuntu.com/apt--experimental--0.6--patch-65 * Merge 0.5.24 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-66 * Make the unauthenticated packages prompt more intuiti... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-67 Merge 0.5.25 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-68 * Remove obsolete pkgIterator::TargetVer() (Closes: #230159) * apt@arch.ubuntu.com/apt--experimental--0.6--patch-69 * Reverse test in CheckAuth to match new prompt (Closes... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-70 Update version * apt@arch.ubuntu.com/apt--experimental--0.6--patch-71 Fix backwards sense of CheckAuth prompt * apt@arch.ubuntu.com/apt--experimental--0.6--patch-72 0.6.24 * apt@arch.ubuntu.com/apt--experimental--0.6--patch-73 Close bug * apt@arch.ubuntu.com/apt--experimental--0.6--patch-74 * Fix handling of two-part sources for sources.list deb... * apt@arch.ubuntu.com/apt--experimental--0.6--patch-75 0.6.25 * apt@packages.debian.org/apt--authentication--0--base-0 tag of apt@arch.ubuntu.com/apt--experimental--0.6--patch-75 * apt@packages.debian.org/apt--authentication--0--patch-1 Michael Vogt's merge of apt--experimental--0 onto apt--main--0 * apt@packages.debian.org/apt--authentication--0--patch-2 Merge from apt--main--0 * apt@packages.debian.org/apt--authentication--0--patch-3 Merge from main * apt@packages.debian.org/apt--authentication--0--patch-4 Merge from main * apt@packages.debian.org/apt--authentication--0--patch-5 Update version number in configure.in * apt@packages.debian.org/apt--authentication--0--patch-6 Merge from main * apt@packages.debian.org/apt--authentication--0--patch-7 Merge from main * apt@packages.debian.org/apt--authentication--0--patch-8 Merge from mvo's branch * apt@packages.debian.org/apt--authentication--0--patch-9 Merge from mvo's tree * apt@packages.debian.org/apt--authentication--0--patch-10 Merge from mvo * apt@packages.debian.org/apt--authentication--0--patch-11 Fix permissions AGAIN * michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--base-0 tag of michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12 * michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--patch-1 * star-merged matt's changes (bz2 support for data-members in debs) * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-1 tag of apt@packages.debian.org/apt--authentication--0--base-0 * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-2 merged "tla apply-delta -A foo@ apt@arch.ubuntu.com/apt--MAIN--0--patch-1190 apt@arch.ubuntu.com/apt--MAIN--0--patch-1343" and cleaned up conflicts * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-3 * missing bits from the merge added * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-4 * star-merged with apt@packages.debian.org/apt--main--0 * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-5 * tree-synced to the apt--authentication tree * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-6 * use the ubuntu-key in this version * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-7 * imported the patches from mdz * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-8 * apt-get update --print-uris works now as before (fallback to 0.5.x behaviour) * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-9 * fix for the "if any source unauthenticated, all other sources are unauthenticated too" problem * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-10 * reworked the "--print-uris" patch. it no longer uses: "APT::Get::Print-URIs" in the library * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-11 * version of the library set to 3.6 * michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12 * changelog finallized, will upload to people.ubuntulinux.org/~mvo/apt-authentication * michael.vogt@canonical.com--2004/apt--main-authentication--0--base-0 tag of apt@packages.debian.org/apt--main--0--patch-22 * michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-1 * star-merge from apt--experimental--0.6 * michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-2 * compile failure fix for methods/http.cc, po-file fixes
2004-12-12Merge bzip2-debs branchMatt Zimmerman
Patches applied: * apt@packages.debian.org/apt--bzip2-debs--0--base-0 tag of apt@packages.debian.org/apt--main--0--patch-30 * apt@packages.debian.org/apt--bzip2-debs--0--patch-1 Create baz branch * apt@packages.debian.org/apt--bzip2-debs--0--patch-2 Implement data.tar.bz2 support
2004-09-20* Patch from Eric Wong <normalperson@yhbt.net> to inclu...Arch Librarian
Author: mdz Date: 2004-01-07 20:39:37 GMT * Patch from Eric Wong <normalperson@yhbt.net> to include apt18n.h after other headers to avoid breaking locale.h when setlocale() is defined as an empty macro (Closes: #226509)
2004-09-20- Fix typo in tar error message (Closes: #191424)Arch Librarian
Author: mdz Date: 2003-07-18 15:35:23 GMT - Fix typo in tar error message (Closes: #191424)
2004-09-20- Clean up some string handling, patch from Peter LundkvistArch Librarian
Author: mdz Date: 2003-07-18 14:15:11 GMT - Clean up some string handling, patch from Peter Lundkvist <p.lundkvist@telia.com> (Closes: #192225)
2004-09-20i18n stuff.Arch Librarian
Author: doogie Date: 2003-02-10 00:36:12 GMT i18n stuff.
2004-09-20Some more g++-3.2 fixes.Arch Librarian
Author: doogie Date: 2002-11-11 06:55:50 GMT Some more g++-3.2 fixes.
2004-09-20revert my last patch.... see bts :)Arch Librarian
Author: tausq Date: 2002-09-20 05:30:33 GMT revert my last patch.... see bts :)
2004-09-20fix for #161593Arch Librarian
Author: tausq Date: 2002-09-20 04:42:25 GMT fix for #161593
2004-09-20Use std C++ header names for includesArch Librarian
Author: jgg Date: 2002-03-26 07:38:57 GMT Use std C++ header names for includes