Age | Commit message (Collapse) | Author |
|
This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:
(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
\n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
sending them out), writting something like
somewhere\n
<headers>
into its output
(3) apt then uses the headers injected for validation purposes.
Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353
|
|
Most of them in (old) code comments. The two instances of user visible
string changes the po files of the manpages are fixed up as well.
Gbp-Dch: Ignore
Reported-By: spellintian
|
|
If we don't give a specific error to report up it is likely that all
error currently in the error stack are equally important, so reporting
just one could turn out to be confusing e.g. if name resolution failed
in a SRV record list.
|
|
All apt versions support numeric as well as 3-character timezones just
fine and its actually hard to write code which doesn't "accidently"
accepts it. So why change? Documenting the Date/Valid-Until fields in
the Release file is easy to do in terms of referencing the
datetime format used e.g. in the Debian changelogs (policy §4.4). This
format specifies only the numeric timezones through, not the nowadays
obsolete 3-character ones, so in the interest of least surprise we should
use the same format even through it carries a small risk of regression
in other clients (which encounter repositories created with
apt-ftparchive).
In case it is really regressing in practice, the hidden option
-o APT::FTPArchive::Release::NumericTimezone=0
can be used to go back to good old UTC as timezone.
The EDSP and EIPP protocols use this 'new' format, the text interface
used to communicate with the acquire methods does not for compatibility
reasons even if none of our methods would be effected and I doubt any
other would (in these instances the timezone is 'GMT' as that is what
HTTP/1.1 requires). Note that this is only true for apt talking to
methods, (libapt-based) methods talking to apt will respond with the
'new' format. It is therefore strongly adviced to support both also in
method input.
|
|
Setting the C++ locale via std::locale::global(std::locale("")); which
would otherwise default to the default C locale (aka: unaffected by
setlocale) effects the formatting of numeric types in IO streams, which
for output for humans is perfectly sensible, but breaks our many text
interfaces used and parsed by us and others without expecting the
numbers to be formatted.
Closes: #825396
|
|
Reported-By: cppcheck
Git-Dch: Ignore
|
|
Doing this disables the implicit copy assignment operator (among others)
which would cause hovac if used on the classes as it would just copy the
pointer, not the data the d-pointer points to. For most of the classes
we don't need a copy assignment operator anyway and in many classes it
was broken before as many contain a pointer of some sort.
Only for our Cacheset Container interfaces we define an explicit copy
assignment operator which could later be implemented to copy the data
from one d-pointer to the other if we need it.
Git-Dch: Ignore
|
|
To have a chance to keep the ABI for a while we need all three to team
up. One of them missing and we might loose, so ensuring that they are
available is a very tedious but needed task once in a while.
Git-Dch: Ignore
|
|
rred is responsible for unpacking and reading the patch files in one go,
but we currently only have hashes for the uncompressed patch files, so
the handler read the entire patch file before dispatching it to the
worker which would read it again – both with an implicit uncompress.
Worse, while the workers operate in parallel the handler is the central
orchestration unit, so having it busy with work means the workers do
(potentially) nothing.
This means rred is working with 'untrusted' data, which is bad. Yet,
having the unpack in the handler meant that the untrusted uncompress was
done as root which isn't better either. Now, we have it at least
contained in a binary which we can harden a bit better. In the long run,
we want hashes for the compressed patch files through to be safe.
|
|
Having every item having its own code to verify the file(s) it handles
is an errorprune process and easy to break, especially if items move
through various stages (download, uncompress, patching, …). With a giant
rework we centralize (most of) the verification to have a better
enforcement rate and (hopefully) less chance for bugs, but it breaks the
ABI bigtime in exchange – and as we break it anyway, it is broken even
harder.
It shouldn't effect most frontends as they don't deal with the acquire
system at all or implement their own items, but some do and will need to
be patched (might be an opportunity to use apt on-board material).
The theory is simple: Items implement methods to decide if hashes need to
be checked (in this stage) and to return the expected hashes for this
item (in this stage). The verification itself is done in worker message
passing which has the benefit that a hashsum error is now a proper error
for the acquire system rather than a Done() which is later revised to a
Failed().
|
|
Reimplementing an inline method is opening a can of worms we don't want
to open if we ever want to us a d-pointer in those classes, so we do the
only thing which can save us from hell: move the destructors into the cc
sources and we are good.
Technically not an ABI break as the methods inline or not do the same
(nothing), so a program compiled against the old version still works
with the new version (beside that this version is still in experimental,
so nothing really has been build against this library anyway).
Git-Dch: Ignore
|
|
debian/experimental
|
|
|
|
feature/expected-size
|
|
On travis-ci connect.cc detects a rotation, triggering it store the IP
which is later appended to the error message, which is all nice and
great if we deal with a real server, but in the testcases it just
triggers failures as strings do not match.
Git-Dch: Ignore
|
|
|
|
Git-Dch: ignore
|
|
|
|
|
|
This ensures that we can stop downloading if the server send
too much data by accident (or by a malicious attempt)
|
|
Now that we have all hashes in the acquire system, pass the info down to
the methods, so that it can use it in the request and/or to precheck the
response.
|
|
It is not very extensible to have the supported Hashes hardcoded
everywhere and especially if it is part of virtual method names.
It is also possible that a method does not support the 'best' hash
(yet), so we might end up not being able to verify a file even though we
have a common subset of supported hashes. And those are just two of the
cases in which it is handy to have a more dynamic selection.
The downside is that this is a MAJOR API break, but the HashStringList
has a string constructor for compatibility, so with a bit of luck the
few frontends playing with the acquire system directly are okay.
|
|
Beside being a bit cleaner it hopefully also resolves oddball problems
I have with high levels of parallel jobs.
Git-Dch: Ignore
Reported-By: iwyu (include-what-you-use)
|
|
- handle redirections in the worker with the right method instead of
in the method the redirection occured in (Closes: #668111)
* methods/http.cc:
- forbid redirects to change protocol
|
|
- factor out into private Dequeue() to fix access to deleted pointer
|
|
|
|
|
|
|
|
|
|
|
|
done on the mirco-optimazation level, so lets fix them:
(performance) Possible inefficient checking for emptiness.
(performance) Prefer prefix ++/-- operators for non-primitive types.
|
|
is redundant in Redirect() as we can't reach the code with null anyway
[apt-pkg/acquire-method.cc:433]: (error) Possible null pointer dereference:
Queue - otherwise it is redundant to check if Queue is null at line 425
|
|
|
|
|
|
- write directly to stdout instead of creating the message in
memory first before writing to avoid hitting limits
|
|
|
|
- when downloading data, show the mirror being used
|
|
|
|
|
|
|
|
of this item is ok and does not need to be tried on all mirrors
|
|
|
|
|
|
- fix TimeToStr i18n (LP: #289807)
* [ABI break] merge support for http redirects, thanks to
Jeff Licquia and Anthony Towns
* [ABI break] use int for the package IDs (thanks to Steve Cotton)
* apt-pkg/pkgcache.cc:
- do not run "dpkg --configure pkg" if pkg is in trigger-awaited
state (LP: #322955)
* methods/https.cc:
- add Acquire::https::AllowRedirect support
* Clarify the --help for 'purge' (LP: #243948)
* cmdline/apt-get.cc
- fix "apt-get source pkg" if there is a binary package and
a source package of the same name but from different
packages (LP: #330103)
* cmdline/acqprogress.cc:
- Call pkgAcquireStatus::Pulse even if quiet, so that we still get
dlstatus messages on the status-fd (LP: #290234).
|
|
Jeff Licquia and Anthony Towns
* [ABI break] use int for the package IDs (thanks to Steve Cotton)
- Galician updated. Closes: #509151
- Catalan updated. Closes: #509375
- Vietnamese updated. Closes: #509422
- Traditional Chinese added. Closes: #510664
* COPYING:
- Actualized. Removed obsolete Qt section, added GPLv2 clause.
(Closes: #440049, #509337)
* Clarify the --help for 'purge' (LP: #243948)
|
|
- fix fd leak for zero size files (thanks to Bill Broadley for
reporting this bug)
* apt-pkg/acquire-item.cc:
- remove zero size files on I-M-S hit
* methods/https.cc:
- only send LastModified if we actually have one
- send range request with if-range
- delete failed downloads
* apt-pkg/deb/dpkgpm.{cc,h}:
- merged dpkg-log branch, this lets you specify a
Dir::Log::Terminal file to log dpkg output to
(ABI break)
* merged apt--sha256 branch to fully support the new
sha256 checksums in the Packages and Release files
(ABI break)
* Applied patch from Aurelien Jarno <aurel32@debian.org> to fix wrong
directory downloading on non-linux architectures (closes: #435597)
* Applied patch from Guillem Jover <guillem@debian.org> to use
* Applied patch from Guillem Jover <guillem@debian.org> to add
support to add lzma support (closes: #408201)
* methods/makefile:
- install lzma symlink method (for full lzma support)
* debian/control:
- suggest "lzma"
* Simplified HttpMethod::Fetch on http.cc removing Tail variable;
* Fix pipeline handling on http.cc (closes: #413324)
* Fix building to properly support binNMUs. Thanks to Daniel Schepler
<schepler@math.unipd.it> by the patch (closes: #359634)
* Fix example for Install-{Recommends,Suggests} options on
configure-index example file. Thanks to Peter Eisentraut
<peter_e@gmx.net> by the patch (closes: #432223)
* fixed compile errors with g++ 4.3 (thanks to
Daniel Burrows, closes: #429378)
* fixes in the auto-mark code (thanks to Daniel
Burrows)
* fix FTFBFS by changing build-depends to
libcurl4-gnutls-dev (closes: #428363)
* cmdline/apt-get.cc:
- fix InstallTask code when a pkgRecord ends
with a single '\n' (thanks to Soren Hansen for reporting)
* merged from Christian Perrier:
* vi.po: completed to 532t, again. Closes: #429899
* gl.po: completed to 532t. Closes: #429506
* vi.po: completed to 532t. Closes: #428672
* Update all PO and the POT. Gives 514t14f4u for formerly
complete translations
* fr.po: completed to 532t
* ku.po, uk.po, LINGUAS: reintegrate those translations
which disappeared from the BZR repositories
|
|
- rename "hash" into ExpectedHash in pkgAcqFile, pkgAcqIndex
- add missing HashSum() call to class pkgAcqIndex
- use the data provided by acquire-method (and send via the
{SHA256,SHA1,MD5Sum}-Hash tag when comparing the hash, this
avoids calculating the hash twice (just like old libapt)
* apt-pkg/acquire-method.cc:
- send MD5Sum-Hash tag to libapt to be consistant with
HashString::SupportedHashes()
* apt-pkg/acquire-worker.cc:
- check with "Owner->HashSum().HashType()" what hash the frontend
is expecting and pass it to pkgAcquireItem::Done() in the new
HashString format
- add some debugging output
* apt-pkg/contrib/hashes.cc:
- fix off-by-one error when constructing a HashString from a single
input string
* apt-pkg/contrib/hashes.h:
- add "HashType()" method
* apt-pkg/init.h, apt-pkg/makefile, methods/makefile:
- break ABI
|
|
- transfert sha256 sum between libapt and method too
|
|
|
|
|