From 69c2ecbdc937e3c73fe67d3c9bce12a80d3ec7ec Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 10 Mar 2013 12:24:13 +0100 Subject: various simple changes to fix cppcheck warnings --- apt-pkg/deb/dpkgpm.cc | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index 6cb8bc6b6..3bc31dc37 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -147,11 +147,11 @@ static pkgCache::VerIterator FindNowVersion(const pkgCache::PkgIterator &Pkg) { pkgCache::VerIterator Ver; - for (Ver = Pkg.VersionList(); Ver.end() == false; Ver++) + for (Ver = Pkg.VersionList(); Ver.end() == false; ++Ver) { pkgCache::VerFileIterator Vf = Ver.FileList(); pkgCache::PkgFileIterator F = Vf.File(); - for (F = Vf.File(); F.end() == false; F++) + for (F = Vf.File(); F.end() == false; ++F) { if (F && F.Archive()) { @@ -1585,12 +1585,12 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg) if (!logfile_name.empty()) { FILE *log = NULL; - char buf[1024]; fprintf(report, "DpkgTerminalLog:\n"); log = fopen(logfile_name.c_str(),"r"); if(log != NULL) { + char buf[1024]; while( fgets(buf, sizeof(buf), log) != NULL) fprintf(report, " %s", buf); fclose(log); @@ -1609,13 +1609,11 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg) // attach dmesg log (to learn about segfaults) if (FileExists("/bin/dmesg")) { - FILE *log = NULL; - char buf[1024]; - fprintf(report, "Dmesg:\n"); - log = popen("/bin/dmesg","r"); + FILE *log = popen("/bin/dmesg","r"); if(log != NULL) { + char buf[1024]; while( fgets(buf, sizeof(buf), log) != NULL) fprintf(report, " %s", buf); pclose(log); @@ -1625,13 +1623,12 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg) // attach df -l log (to learn about filesystem status) if (FileExists("/bin/df")) { - FILE *log = NULL; - char buf[1024]; fprintf(report, "Df:\n"); - log = popen("/bin/df -l","r"); + FILE *log = popen("/bin/df -l","r"); if(log != NULL) { + char buf[1024]; while( fgets(buf, sizeof(buf), log) != NULL) fprintf(report, " %s", buf); pclose(log); -- cgit v1.2.3 From 55971004215609a02ca19c59bd058da20729ba11 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 14 Mar 2013 14:26:43 +0100 Subject: * SECURITY UPDATE: InRelease verification bypass - CVE-2013-1051 * apt-pkg/deb/debmetaindex.cc, test/integration/test-bug-595691-empty-and-broken-archive-files, test/integration/test-releasefile-verification: - disable InRelease downloading until the verification issue is fixed, thanks to Ansgar Burchardt for finding the flaw --- apt-pkg/deb/debmetaindex.cc | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index bcc617da7..6c191fd95 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -236,16 +236,23 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description, (*Target)->ShortDesc, HashString()); } + + // this is normally created in pkgAcqMetaSig, but if we run + // in --print-uris mode, we add it here + new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"), + MetaIndexInfo("Release"), "Release", + MetaIndexURI("Release.gpg"), + ComputeIndexTargets(), + new indexRecords (Dist)); } - new pkgAcqMetaClearSig(Owner, MetaIndexURI("InRelease"), - MetaIndexInfo("InRelease"), "InRelease", - MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", - MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg", - ComputeIndexTargets(), - new indexRecords (Dist)); + new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"), + MetaIndexInfo("Release.gpg"), "Release.gpg", + MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", + ComputeIndexTargets(), + new indexRecords (Dist)); - return true; + return true; } void debReleaseIndex::SetTrusted(bool const Trusted) -- cgit v1.2.3 From 2d3fe9cfadb33556b7563a98bb5a4698888e6c40 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 15 Mar 2013 18:53:53 +0100 Subject: - if ExecGPGV deals with a clear-signed file it will split this file into data and signatures, pass it to gpgv for verification and recombines it after that in a known-good way without unsigned blocks and whitespaces resulting usually in more or less the same file as before, but later code can be sure about the format * apt-pkg/deb/debmetaindex.cc: - reenable InRelease by default --- apt-pkg/deb/debmetaindex.cc | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 6c191fd95..7a88d71e3 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -229,6 +229,8 @@ vector * debReleaseIndex::ComputeIndexTargets() const { /*}}}*/ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const { + bool const tryInRelease = _config->FindB("Acquire::TryInRelease", true); + // special case for --print-uris if (GetAll) { vector *targets = ComputeIndexTargets(); @@ -239,18 +241,27 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const // this is normally created in pkgAcqMetaSig, but if we run // in --print-uris mode, we add it here - new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"), - MetaIndexInfo("Release"), "Release", - MetaIndexURI("Release.gpg"), - ComputeIndexTargets(), - new indexRecords (Dist)); + if (tryInRelease == false) + new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"), + MetaIndexInfo("Release"), "Release", + MetaIndexURI("Release.gpg"), + ComputeIndexTargets(), + new indexRecords (Dist)); } - new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"), - MetaIndexInfo("Release.gpg"), "Release.gpg", - MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", - ComputeIndexTargets(), - new indexRecords (Dist)); + if (tryInRelease == true) + new pkgAcqMetaClearSig(Owner, MetaIndexURI("InRelease"), + MetaIndexInfo("InRelease"), "InRelease", + MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", + MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg", + ComputeIndexTargets(), + new indexRecords (Dist)); + else + new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"), + MetaIndexInfo("Release.gpg"), "Release.gpg", + MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", + ComputeIndexTargets(), + new indexRecords (Dist)); return true; } -- cgit v1.2.3 From 233b78083f6f79730fcb5a6faeb74e2a78b6038a Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 18 Mar 2013 22:57:08 +0100 Subject: * apt-pkg/deb/debindexfile.cc, apt-pkg/deb/deblistparser.cc: - use OpenMaybeClearSignedFile to be free from detecting and skipping clearsigning metadata in dsc and Release files We can't write a "clean" file to disk as not all acquire methods copy Release files before checking them (e.g. cdrom), so this reverts recombining, but uses the method we use for dsc files also in the two places we deal with Release files --- apt-pkg/deb/debindexfile.cc | 8 +++++++- apt-pkg/deb/deblistparser.cc | 12 +----------- 2 files changed, 8 insertions(+), 12 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/debindexfile.cc b/apt-pkg/deb/debindexfile.cc index de645bb6e..909dfcf47 100644 --- a/apt-pkg/deb/debindexfile.cc +++ b/apt-pkg/deb/debindexfile.cc @@ -22,6 +22,7 @@ #include #include #include +#include #include /*}}}*/ @@ -337,7 +338,12 @@ bool debPackagesIndex::Merge(pkgCacheGenerator &Gen,OpProgress *Prog) const if (releaseExists == true || FileExists(ReleaseFile) == true) { - FileFd Rel(ReleaseFile,FileFd::ReadOnly); + FileFd Rel; + // Beware: The 'Release' file might be clearsigned in case the + // signature for an 'InRelease' file couldn't be checked + if (OpenMaybeClearSignedFile(ReleaseFile, Rel) == false) + return false; + if (_error->PendingError() == true) return false; Parser.LoadReleaseInfo(File,Rel,Section); diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc index b84bd6fdd..2c014a734 100644 --- a/apt-pkg/deb/deblistparser.cc +++ b/apt-pkg/deb/deblistparser.cc @@ -800,13 +800,12 @@ bool debListParser::LoadReleaseInfo(pkgCache::PkgFileIterator &FileI, map_ptrloc const storage = WriteUniqString(component); FileI->Component = storage; - // FIXME: Code depends on the fact that Release files aren't compressed + // FIXME: should use FileFd and TagSection FILE* release = fdopen(dup(File.Fd()), "r"); if (release == NULL) return false; char buffer[101]; - bool gpgClose = false; while (fgets(buffer, sizeof(buffer), release) != NULL) { size_t len = 0; @@ -818,15 +817,6 @@ bool debListParser::LoadReleaseInfo(pkgCache::PkgFileIterator &FileI, if (buffer[len] == '\0') continue; - // only evalute the first GPG section - if (strncmp("-----", buffer, 5) == 0) - { - if (gpgClose == true) - break; - gpgClose = true; - continue; - } - // seperate the tag from the data const char* dataStart = strchr(buffer + len, ':'); if (dataStart == NULL) -- cgit v1.2.3 From 40befb065d110c7b3a7b3d37759b6888522817b2 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 1 Apr 2013 13:19:43 +0200 Subject: * apt-pkg/deb/debversion.cc: - add a string-equal shortcut for equal version comparisions --- apt-pkg/deb/debversion.cc | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/debversion.cc b/apt-pkg/deb/debversion.cc index a02699a44..94d357846 100644 --- a/apt-pkg/deb/debversion.cc +++ b/apt-pkg/deb/debversion.cc @@ -215,10 +215,19 @@ bool debVersioningSystem::CheckDep(const char *PkgVer, return true; if (PkgVer == 0 || PkgVer[0] == 0) return false; - + Op &= 0x0F; + + size_t const lenPkgVer = strlen(PkgVer); + size_t const lenDepVer = strlen(DepVer); + + // take a shortcut for equals which are string-equal as well + if (Op == pkgCache::Dep::Equals && lenPkgVer == lenDepVer && + memcmp(PkgVer, DepVer, lenPkgVer) == 0) + return true; + // Perform the actual comparision. - int Res = CmpVersion(PkgVer,DepVer); - switch (Op & 0x0F) + int const Res = DoCmpVersion(PkgVer, PkgVer + lenPkgVer, DepVer, DepVer + lenDepVer); + switch (Op) { case pkgCache::Dep::LessEq: if (Res <= 0) -- cgit v1.2.3 From d9682cf8268d6c69e41adb6be9f03d68ba066a12 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 1 Apr 2013 23:27:16 +0200 Subject: micro-optimize and enhance readability of ListParser::VersionHash --- apt-pkg/deb/deblistparser.cc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc index 56d5297fc..67f0ac9c6 100644 --- a/apt-pkg/deb/deblistparser.cc +++ b/apt-pkg/deb/deblistparser.cc @@ -284,7 +284,7 @@ unsigned short debListParser::VersionHash() "Replaces",0}; unsigned long Result = INIT_FCS; char S[1024]; - for (const char **I = Sections; *I != 0; I++) + for (const char * const *I = Sections; *I != 0; ++I) { const char *Start; const char *End; @@ -295,13 +295,13 @@ unsigned short debListParser::VersionHash() of certain fields. dpkg also has the rather interesting notion of reformatting depends operators < -> <= */ char *J = S; - for (; Start != End; Start++) + for (; Start != End; ++Start) { - if (isspace(*Start) == 0) - *J++ = tolower_ascii(*Start); - if (*Start == '<' && Start[1] != '<' && Start[1] != '=') - *J++ = '='; - if (*Start == '>' && Start[1] != '>' && Start[1] != '=') + if (isspace(*Start) != 0) + continue; + *J++ = tolower_ascii(*Start); + + if ((*Start == '<' || *Start == '>') && Start[1] != *Start && Start[1] != '=') *J++ = '='; } -- cgit v1.2.3 From 885594fc8831d1be5a254557385e3dbefb564fbf Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 3 Apr 2013 19:43:03 +0200 Subject: share version strings between same versions (of different architectures) to save some space and allow quick comparisions later on --- apt-pkg/deb/debversion.cc | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'apt-pkg/deb') diff --git a/apt-pkg/deb/debversion.cc b/apt-pkg/deb/debversion.cc index 94d357846..140561262 100644 --- a/apt-pkg/deb/debversion.cc +++ b/apt-pkg/deb/debversion.cc @@ -217,16 +217,12 @@ bool debVersioningSystem::CheckDep(const char *PkgVer, return false; Op &= 0x0F; - size_t const lenPkgVer = strlen(PkgVer); - size_t const lenDepVer = strlen(DepVer); - - // take a shortcut for equals which are string-equal as well - if (Op == pkgCache::Dep::Equals && lenPkgVer == lenDepVer && - memcmp(PkgVer, DepVer, lenPkgVer) == 0) - return true; + // fast track for (equal) strings [by location] which are by definition equal versions + if (PkgVer == DepVer) + return Op == pkgCache::Dep::Equals || Op == pkgCache::Dep::LessEq || Op == pkgCache::Dep::GreaterEq; // Perform the actual comparision. - int const Res = DoCmpVersion(PkgVer, PkgVer + lenPkgVer, DepVer, DepVer + lenDepVer); + int const Res = CmpVersion(PkgVer, DepVer); switch (Op) { case pkgCache::Dep::LessEq: -- cgit v1.2.3