summaryrefslogtreecommitdiff
path: root/apt-pkg
AgeCommit message (Collapse)Author
2018-08-20clear alternative URIs for mirror:// between steps (CVE-2018-0501)David Kalnischkies
APT in 1.6 saw me rewriting the mirror:// transport method, which works comparable to the decommissioned httpredir.d.o "just" that apt requests a mirror list and performs all the redirections internally with all the bells like parallel download and automatic fallback (more details in the apt-transport-mirror manpage included in the 1.6 release). The automatic fallback is the problem here: The intend is that if a file fails to be downloaded (e.g. because the mirror is offline, broken, out-of-sync, …) instead of erroring out the next mirror in the list is contacted for a retry of the download. Internally the acquire process of an InRelease file (works with the Release/Release.gpg pair, too) happens in steps: 1) download file and 2) verify file, both handled as URL requests passed around. Due to an oversight the fallbacks for the first step are still active for the second step, so that the successful download from another mirror stands in for the failed verification… *facepalm* Note that the attacker can not judge by the request arriving for the InRelease file if the user is using the mirror method or not. If entire traffic is observed Eve might be able to observe the request for a mirror list, but that might or might not be telling if following requests for InRelease files will be based on that list or for another sources.list entry not using mirror (Users have also the option to have the mirror list locally (via e.g. mirror+file://) instead of on a remote host). If the user isn't using mirror:// for this InRelease file apt will fail very visibly as intended. (The mirror list needs to include at least two mirrors and to work reliably the attacker needs to be able to MITM all mirrors in the list. For remotely accessed mirror lists this is no limitation as the attacker is in full control of the file in that case) Fixed by clearing the alternatives after a step completes (and moving a pimpl class further to the top to make that valid compilable code). mirror:// is at the moment the only method using this code infrastructure (for all others this set is already empty) and the only method-independent user so far is the download of deb files, but those are downloaded and verified in a single step; so there shouldn't be much opportunity for regression here even through a central code area is changed. Upgrade instructions: Given all apt-based frontends are affected, even additional restrictions like signed-by are bypassed and the attack in progress is hardly visible in the progress reporting of an update operation (the InRelease file is marked "Ign", but no fallback to "Release/Release.gpg" is happening) and leaves no trace (expect files downloaded from the attackers repository of course) the best course of action might be to change the sources.list to not use the mirror family of transports ({tor+,…}mirror{,+{http{,s},file,…}}) until a fixed version of the src:apt packages are installed. Regression-Of: 355e1aceac1dd05c4c7daf3420b09bd860fd169d, 57fa854e4cdb060e87ca265abd5a83364f9fa681 LP: #1787752
2018-06-25Fix lock counting in debSystemJulian Andres Klode
debSystem uses a reference counted lock, so you can acquire it multiple times in your applications, possibly nested. Nesting locks causes a fd leak, though, as we only increment the lock count when we already have locked twice, rather than once, and hence when we call lock the second time, instead of increasing the lock count, we open another lock fd. This fixes the code to check if we have locked at all (> 0). There is no practical problem here aside from the fd leak, as closing the new fd releases the lock on the old one due to the weird semantics of fcntl locks. (cherry picked from commit 79f012bd09ae99d4c9d63dc0ac960376b5338b32)
2018-04-20CMake: Fix builds without zstdJulian Andres Klode
Only use zstd defined variables if zstd was found.
2018-04-15Merge branch 'pu/zstd' into 'master'Julian Andres Klode
pu/zstd See merge request apt-team/apt!8
2018-04-13zstd: Implement support for multi-frame filesJulian Andres Klode
This implements support for multi frame files while keeping error checking for unexpected EOF working correctly. Files with multiple frames are generated by pzstd, for example.
2018-04-13Implement compression level handling for zstdJulian Andres Klode
This is a simplified variant of the code for xz, adapted to support multiple digit integers.
2018-04-07fix communication typo in https manpageDavid Kalnischkies
Reported-By: lintian spelling-error-in-manpage
2018-03-19Bump cache major version to allow different 1.5 and 1.6 updatesJulian Andres Klode
Shipping 1.6 with major 12 would not allow us to update 1.5.y in a different way than 1.6.y if we have to without resorting to minor version hacks. Let's just bump the major instead.
2018-03-15Use https for Ubuntu changelogsJulian Andres Klode
We just enabled https on changelogs.ubuntu.com, let's use it.
2018-03-12apt-pkg: Add support for zstdJulian Andres Klode
zstd is a compression algorithm developed by facebook. At level 19, it is about 6% worse in size than xz -6, but decompression is multiple times faster, saving about 40% install time, especially with eatmydata on cloud instances.
2018-02-19Merge branch 'pu/not-valid-before' into 'master'Julian Andres Klode
Check that Date of Release file is not in the future See merge request apt-team/apt!3
2018-02-19Check that Date of Release file is not in the futureJulian Andres Klode
By restricting the Date field to be in the past, an attacker cannot just create a repository from the future that would be accepted as a valid update for a repository. This check can be disabled by Acquire::Check-Date set to false. This will also disable Check-Valid-Until and any future date related checking, if any - the option means: "my computers date cannot be trusted." Modify the tests to allow repositories to be up to 10 hours in the future, so we can keep using hours there to simulate time changes.
2018-02-19ensure correct file permissions for auxfilesDavid Kalnischkies
The interesting takeaway here is perhaps that 'chmod +w' is effected by the umask – obvious in hindsight of course. The usual setup helps with hiding that applying that recursively on all directories (and files) isn't correct. Ensuring files will not be stored with the wrong permissions even if in strange umask contexts is trivial in comparison. Fixing the test also highlighted that it wasn't bulletproof as apt will automatically fix the permissions of the directories it works with, so for this test we actually need to introduce a shortcut in the code. Reported-By: Ubuntu autopkgtest CI
2018-02-19indexcopy: Copy uncompressed indices from cdrom againJulian Andres Klode
This was broken by a refactoring in 1adcf56bec7d2127d83aa423916639740fe8e586 which iterated over getCompressorExtensions() instead of the compressors and using their extension field. getCompressorExtensions() does not contain the empty extension for uncompressed files, though, and hence this was broken. LP: #1746807
2018-01-19allow the apt/lists/auxfiles/ directory to be missingDavid Kalnischkies
apt 1.6~alpha6 introduced aux requests to revamp the implementation of a-t-mirror. This already included the potential of running as non-root, but the detection wasn't complete resulting in errors or could produce spurious warnings along the way if the directory didn't exist yet. References: ef9677831f62a1554a888ebc7b162517d7881116 Closes: 887624
2018-01-17Introduce inrelease-path option for sources.listJulian Andres Klode
Allow specifying an alternative path to the InRelease file, so you can have multiple versions of a repository, for example. Enabling this option disables fallback to Release and Release.gpg, so setting it to InRelease can be used to ensure that only that will be tried. We add two test cases: One for checking that it works, and another for checking that the fallback does not happen. Closes: #886745
2018-01-05dpkg status parsing: check if name is valid before useDavid Kalnischkies
The summary line sounds a bit much: what we end up doing is just adding two more guards before using results which should always be valid™. That these values aren't valid is likely a bug in itself somewhere, but that is no reason for crashing.
2018-01-04simplify translating "lists directory missing" msgDavid Kalnischkies
The appended "partial" should not be translated, but some translations got this wrong and now that there is also "auxfiles" we can just fix that problem by hiding these untranslatables from the translators. Gbp-Dch: Ignore
2018-01-03require methods to request AuxRequest capability at startupDavid Kalnischkies
Allowing a method to request work from other methods is a powerful capability which could be misused or exploited, so to slightly limited the surface let method opt-in into this capability on startup.
2018-01-03reimplement and simplify mirror:// methodDavid Kalnischkies
Embedding an entire acquire stack and HTTP logic in the mirror method made it rather heavy weight and fragile. This reimplement goes the other way by doing only the bare minimum in the method itself and instead redirect the actual download of files to their proper methods. The reimplementation drops the (in the real world) unused query-string feature as it isn't really implementable in the new architecture.
2018-01-03allow a method to request auxiliary filesDavid Kalnischkies
If a method needs a file to operate like e.g. mirror needs to get a list of mirrors before it can redirect the the actual requests to them. That could easily be solved by moving the logic into libapt directly, but by allowing a method to request other methods to do something we can keep this logic contained in the method and allow e.g. also methods which perform binary patching or similar things. Previously they would need to implement their own acquire system inside the existing one which in all likelyhood will not support the same features and methods nor operate with similar security compared to what we have already running 'above' the requesting method. That said, to avoid methods producing conflicts with "proper" files we are downloading a new directory is introduced to keep the auxiliary files in. [The message magic number 351 is a tribute to the german Grundgesetz article 35 paragraph 1 which defines that all authorities of the state(s) help each other on request.]
2018-01-03refactor message generation for methodsDavid Kalnischkies
The format isn't too hard to get right, but it gets funny with multiline fields (which we don't really have yet) and its just easier to deal with it once and for all which can be reused for more messages later.
2018-01-02Support cleartext signed InRelease files with CRLF line endingsDavid Kalnischkies
Commit 89c4c588b275 ("fix from David Kalnischkies for the InRelease gpg verification code (LP: #784473)") amended verification of cleartext signatures by a check whether the file to be verified actually starts with "-----BEGIN PGP SIGNATURE-----\n". However cleartext signed InRelease files have been found in the wild which use \r\n as line ending for this armor header line, presumably generated by a Windows PGP client. Such files are incorrectly deemed unsigned and result in the following (misleading) error: Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) RFC 4880 specifies in 6.2 Forming ASCII Armor: That is to say, there is always a line ending preceding the starting five dashes, and following the ending five dashes. The header lines, therefore, MUST start at the beginning of a line, and MUST NOT have text other than whitespace following them on the same line. RFC 4880 does not seem to specify whether LF or CRLF is used as line ending for armor headers, but CR is generally considered whitespace (e.g. "man perlrecharclass"), hence using CRLF is legal even under the assumption that LF must be used. SplitClearSignedFile() is stripping whitespace (including CR) on lineend already before matching the string, so StartsWithGPGClearTextSignature() is adapted to use the same ignoring. As the earlier method is responsible for what apt will end up actually parsing nowadays as signed/unsigned this change has no implications for security. Thanks: Lukas Wunner for detailed report & initial patch! References: 89c4c588b275d098af33f36eeddea6fd75068342 Closes: 884922
2017-12-24do not remap current files if nullptrs in cache generationDavid Kalnischkies
If the cache needs to grow to make room to insert volatile files like deb files into the cache we were remapping null-pointers making them non-null-pointers in the process causing trouble later on. Only the current Releasefile pointer can currently legally be a nullpointer as volatile files have no release file they belong to, but for safety the pointer to the current Packages file is equally guarded. The option APT::Cache-Start can be used to workaround this problem. Reported-By: Mattia Rizzolo on IRC
2017-12-14remove pointless APT_PURE from void functionsDavid Kalnischkies
Earlier gcc versions used to complain that you should add them althrough there isn't a lot of point to it if you think about it, but now gcc (>= 8) complains about the attribute being present. warning: ‘pure’ attribute on function returning ‘void’ [-Wattributes] Reported-By: gcc -Wattributes Gbp-Dch: Ignore
2017-12-13implement fallback to alternative URIs for all itemsDavid Kalnischkies
For deb files we always supported falling back from one server to the other if one failed to download the deb, but that was hardwired in the handling of this specific item. Moving this alongside the retry infrastructure we can implement it for all items and allow methods to use this as well by providing additional URIs in a redirect.
2017-12-13give the methods more metadata about the files to acquireDavid Kalnischkies
We have quite a bit of metadata available for the files we acquire, but the methods weren't told about it and got just the URI. That is indeed fine for most, but to avoid methods trying to parse the metadata out of the provided URIs (and fail horribly in edgecases) we can just as well be nice and tell them stuff directly.
2017-12-13implement Acquire::Retries support for all itemsDavid Kalnischkies
Moving the Retry-implementation from individual items to the worker implementation not only gives every file retry capability instead of just a selected few but also avoids needing to implement it in each item (incorrectly).
2017-12-13support multiline values in LookupTagDavid Kalnischkies
LookupTag is a little helper to deal with rfc822-style strings we use in apt e.g. to pass acquire messages around for cases in which our usual rfc822 parser is too heavy. All the fields it had to deal with so far were single line, but if they aren't it should really produce the right output and not just return the first line. Error messages are a prime candidate for becoming multiline as at the moment they are stripped of potential newlines due to the previous insufficiency of LookupTag.
2017-12-13deal with floats without old-style castDavid Kalnischkies
We have no speed problem with handling floats/doubles in our progress handling, but that shouldn't prevent us from cleaning up the handling slightly to avoid unclean casting to ints. Reported-By: gcc -Wdouble-promotion -Wold-style-cast
2017-12-13avoid some useless casts reported by -Wuseless-castDavid Kalnischkies
The casts are useless, but the reports show some where we can actually improve the code by replacing them with better alternatives like converting whatever int type into a string instead of casting to a specific one which might in the future be too small. Reported-By: gcc -Wuseless-cast
2017-12-13convert various c-style casts to C++-styleDavid Kalnischkies
gcc was warning about ignored type qualifiers for all of them due to the last 'const', so dropping that and converting to static_cast in the process removes the here harmless warning to avoid hidden real issues in them later on. Reported-By: gcc Gbp-Dch: Ignore
2017-12-13deprecate the single-line deprecation ignoring macroDavid Kalnischkies
gcc has problems understanding this construct and additionally thinks it would produce multiple lines and stuff, so to keep using it isn't really worth it for the few instances we have: We can just write the long form there which works better. Reported-By: gcc Gbp-Dch: Ignore
2017-12-13fix over-calculating dpkg commandline lengthDavid Kalnischkies
Mostly harmless as it just means that apt thinks that the dpkg commandline it is building is slightly longer than it actually is and we have various ways of avoiding generating very long lines nowadays, but calculating the right value can't hurt. Reported-By: gcc -Wmultistatement-macros
2017-12-13explicitly name token in auth.conf parsing errorDavid Kalnischkies
Reported-By: gcc -Wsign-promo
2017-12-13don't auto-switch candidate if installed is good enoughDavid Kalnischkies
If we perform candidate switching in requests like "apt install foo/bar" we should first check if the dependencies of foo from release bar are already satisfied by what is already installed before checking if the candidate (or switched candidate) would.
2017-12-13if insecure repo is allowed continue on all http errorsDavid Kalnischkies
If a InRelease file fails to download with a non-404 error we assumed there is some general problem with repository like a webportal or your are blocked from access (wrong auth, Tor, …). Turns out some server like S3 return 403 if a file doesn't exist. Allowing this in general seems like a step backwards as 403 is a reasonable response if auth failed, so failing here seems better than letting those users run into problems. What we can do is show our insecure warnings through and allow the failures for insecure repos: If the repo is signed it is easy to add an InRelease file and if not you are setup for trouble anyhow. References: cbbf185c3c55effe47f218a07e7b1f324973a8a6
2017-11-19allow multivalue fields in deb822 sources to be foldedDavid Kalnischkies
The documentation said "spaces", but there is no real reason to be so strict and only allow spaces to separate values as that only leads to very long lines if e.g. multiple URIs are specified which are again hard to deal with from a user PoV which the deb822 format is supposed to avoid. It also deals with multiple consecutive spaces and strange things like tabs users will surely end up using in the real world. The old behviour on encountering folded lines is the generation of URIs which end up containing all these whitespace characters which tends to mess really bad with output and further processing. Closes: 881875
2017-10-28use store: instead of gzip: to open local changelogsDavid Kalnischkies
Regression-Of: cc1f94c95373670fdfdb8e2d6cf9125181f7df0c
2017-10-25Don't segfault if receiving a method warning on empty queueJulian Andres Klode
We would like to issue a warning about seccomp support in Configuration(), but since the queue is empty, there is no current item to show the URL for and we get a segfault. Show the protocol instead.
2017-10-22Run the ProxyAutoDetect script in the sandbox againJulian Andres Klode
The previous change moved running the proxy detection program from the method to the main process, so it runs as root and not as _apt. This brings it back into the sandbox. Gbp-Dch: ignore
2017-10-22Run Proxy-Auto-Detect script from main processJulian Andres Klode
This avoids running the Proxy-Auto-Detect script inside the untrusted (well, less trusted for now) sandbox. This will allow us to restrict the http method from fork()ing or exec()ing via seccomp.
2017-10-20Fix testsuite for and add new fields from dpkg 1.19Julian Andres Klode
tagfile-order.c: Add missing fields from dpkg 1.19 For binary packages, this is Build-Essential; for source packages, it is Description. test-bug-718329-...: Ignore control.tar.*, changes in dpkg 1.19 test-apt-extracttemplates: Fix for dpkg 1.19
2017-10-05send the hashes for alternative file correctlyDavid Kalnischkies
This isn't really used by the acquire system at all at the moment and the only method potentially sending this information is file://, but that used to be working correctly before broken in 2013, so better fix it now and worry about maybe using the data some day later. Regression-Of: b3501edb7091ca3aa6c2d6d96dc667b8161dd2b9
2017-09-26use pkgTagSection::Key in srcRecords parserDavid Kalnischkies
Using hardcoded array-indexes in the build-dependency parsing is efficient, but less discoverable and easier to break. We can avoid this by making it even more efficient (not that it would be noticeable) allowing us to do explicitly named comparisons instead. Gbp-Dch: Ignore
2017-09-26allow empty build-dependency fields in the parserDavid Kalnischkies
APT used to parse only wellformed files produced by repository creation tools which removed empty files as pointless before apt would see them. Now that apt can be told to parse e.g. debian/control files directly, it needs to be a little more accepting through: We had this with comments already, now let it deal with the far more trivial empty fields. Closes: #875363
2017-09-13Fix translator comment location for legacy target warningJulian Andres Klode
In commit Do not warn about duplicate "legacy" targets, we we added an if, that changed the .po files...
2017-09-10CMake: Properly handle Udev missingJulian Andres Klode
When udev is not available, the variables for libraries and include paths are set to NOTFOUND rather than an empty string and CMake exits with an error. Use a generator expression to only use these variables when UDEV_FOUND is true.
2017-09-09Directly link against libudev on Linux systemsJulian Andres Klode
We previously dlopen()ed it, but it seems painful to do that without any real gain, except for possibly not having libudev in the address space and not having code #ifdefed for Linux. The latter means that we are a bit more likely to break stuff for non-Linux systems now if we play with udev, but at least we don't end up with it silently breaking because of a libudev ABI break. The existing function pointers in the struct were renamed and kept for compat purposes. Fixes Debian/apt#48 Also adjust prepare-release to strip [linux-any] from build-depends for travis.
2017-09-09cdrom: Don't hardcode "Files" field for copying source filesJulian Andres Klode
This fails if no Files field exists anymore, for example, because the Sources index only contains SHA256 hashes. Instead check all hashes.