From 25594bb5bddc031afc4d62f3164cd9116d778517 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Tue, 2 Sep 2014 18:20:49 +0200 Subject: make GetLocalitySortedVersionSet more generic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No reason in and of by itself at the moment, but prepares for the goal of having 'apt search' and 'apt-cache search' using the same code now that they at least support the same stuff. The 'apt' code is just a multitude slower at the moment… Git-Dch: Ignore --- apt-pkg/cachefilter.h | 1 + 1 file changed, 1 insertion(+) (limited to 'apt-pkg') diff --git a/apt-pkg/cachefilter.h b/apt-pkg/cachefilter.h index 49d2855f5..6d10d1163 100644 --- a/apt-pkg/cachefilter.h +++ b/apt-pkg/cachefilter.h @@ -73,6 +73,7 @@ public: bool operator() (pkgCache::VerIterator const &Ver); ~PackageArchitectureMatchesSpecification(); }; + /*}}}*/ #else -- cgit v1.2.3 From b578738870e83db4e61d6f6591bc73884108b7d4 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 7 Sep 2014 21:27:57 +0200 Subject: strip everything spacey in APT::String::Strip Git-Dch: Ignore --- apt-pkg/contrib/strutl.cc | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc index 922229e90..87f57a30e 100644 --- a/apt-pkg/contrib/strutl.cc +++ b/apt-pkg/contrib/strutl.cc @@ -45,14 +45,26 @@ using namespace std; // --------------------------------------------------------------------- namespace APT { namespace String { -std::string Strip(const std::string &s) +std::string Strip(const std::string &str) { - size_t start = s.find_first_not_of(" \t\n"); - // only whitespace - if (start == string::npos) + // ensure we have at least one character + if (str.empty() == true) + return str; + + char const * const s = str.c_str(); + size_t start = 0; + for (; isspace(s[start]) != 0; ++start) + ; // find the first not-space + + // string contains only whitespaces + if (s[start] == '\0') return ""; - size_t end = s.find_last_not_of(" \t\n"); - return s.substr(start, end-start+1); + + size_t end = str.length() - 1; + for (; isspace(s[end]) != 0; --end) + ; // find the last not-space + + return str.substr(start, end - start + 1); } bool Endswith(const std::string &s, const std::string &end) -- cgit v1.2.3 From 4c559e97ba4cc0d3a2995b7c451e606539d2f1be Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 8 Sep 2014 17:14:17 +0200 Subject: fix progress report for upgrade and reinstall APT treats upgrades like installs and dpkg is very similar in this, but prints still a slightly different processing message indicating that it is really an upgrade which we hadn't parsed so far, but this wasn't really visible as we quickly moved on to a 'known' state. More problematic was the reinstall case as apt hadn't recognized this for the package name detection, so that reinstalls had no progress since we introduced MultiArch. --- apt-pkg/deb/dpkgpm.cc | 79 ++++++++++++++++++++++++++------------------------- 1 file changed, 41 insertions(+), 38 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index 264304c61..5411d9ee8 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -564,8 +564,8 @@ void pkgDPkgPM::ProcessDpkgStatusLine(char *line) 'status: : ' 'status: :: ' - 'processing: {install,configure,remove,purge,disappear,trigproc}: pkg' - 'processing: {install,configure,remove,purge,disappear,trigproc}: trigger' + 'processing: {install,upgrade,configure,remove,purge,disappear,trigproc}: pkg' + 'processing: {install,upgrade,configure,remove,purge,disappear,trigproc}: trigger' */ // we need to split on ": " (note the appended space) as the ':' is @@ -589,12 +589,15 @@ void pkgDPkgPM::ProcessDpkgStatusLine(char *line) std::string action; // "processing" has the form "processing: action: pkg or trigger" - // with action = ["install", "configure", "remove", "purge", "disappear", - // "trigproc"] + // with action = ["install", "upgrade", "configure", "remove", "purge", + // "disappear", "trigproc"] if (prefix == "processing") { pkgname = APT::String::Strip(list[2]); action = APT::String::Strip(list[1]); + // we don't care for the difference (as dpkg doesn't really either) + if (action == "upgrade") + action = "install"; } // "status" has the form: "status: pkg: state" // with state in ["half-installed", "unpacked", "half-configured", @@ -638,27 +641,26 @@ void pkgDPkgPM::ProcessDpkgStatusLine(char *line) // at this point we know that we should have a valid pkgname, so build all // the info from it - // dpkg does not send always send "pkgname:arch" so we add it here - // if needed + // dpkg does not always send "pkgname:arch" so we add it here if needed if (pkgname.find(":") == std::string::npos) { - // find the package in the group that is in a touched by dpkg - // if there are multiple dpkg will send us a full pkgname:arch + // find the package in the group that is touched by dpkg + // if there are multiple pkgs dpkg would send us a full pkgname:arch pkgCache::GrpIterator Grp = Cache.FindGrp(pkgname); - if (Grp.end() == false) + if (Grp.end() == false) { - pkgCache::PkgIterator P = Grp.PackageList(); - for (; P.end() != true; P = Grp.NextPkg(P)) - { - if(Cache[P].Mode != pkgDepCache::ModeKeep) - { - pkgname = P.FullName(); - break; - } - } + pkgCache::PkgIterator P = Grp.PackageList(); + for (; P.end() != true; P = Grp.NextPkg(P)) + { + if(Cache[P].Keep() == false || Cache[P].ReInstall() == true) + { + pkgname = P.FullName(); + break; + } + } } } - + const char* const pkg = pkgname.c_str(); std::string short_pkgname = StringSplit(pkgname, ":")[0]; std::string arch = ""; @@ -697,28 +699,29 @@ void pkgDPkgPM::ProcessDpkgStatusLine(char *line) if (prefix == "status") { vector const &states = PackageOps[pkg]; - const char *next_action = NULL; if(PackageOpsDone[pkg] < states.size()) - next_action = states[PackageOpsDone[pkg]].state; - // check if the package moved to the next dpkg state - if(next_action && (action == next_action)) { - // only read the translation if there is actually a next - // action - const char *translation = _(states[PackageOpsDone[pkg]].str); - std::string msg; - - // we moved from one dpkg state to a new one, report that - PackageOpsDone[pkg]++; - PackagesDone++; - - strprintf(msg, translation, i18n_pkgname.c_str()); - d->progress->StatusChanged(pkgname, PackagesDone, PackagesTotal, msg); - + char const * const next_action = states[PackageOpsDone[pkg]].state; + if (next_action && Debug == true) + std::clog << "(parsed from dpkg) pkg: " << short_pkgname + << " action: " << action << " (expected: '" << next_action << "' " + << PackageOpsDone[pkg] << " of " << states.size() << ")" << endl; + + // check if the package moved to the next dpkg state + if(next_action && (action == next_action)) + { + // only read the translation if there is actually a next action + char const * const translation = _(states[PackageOpsDone[pkg]].str); + + // we moved from one dpkg state to a new one, report that + ++PackageOpsDone[pkg]; + ++PackagesDone; + + std::string msg; + strprintf(msg, translation, i18n_pkgname.c_str()); + d->progress->StatusChanged(pkgname, PackagesDone, PackagesTotal, msg); + } } - if (Debug == true) - std::clog << "(parsed from dpkg) pkg: " << short_pkgname - << " action: " << action << endl; } } /*}}}*/ -- cgit v1.2.3 From 223ae57d468fdcac451209a095047a07a5698212 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 8 Sep 2014 21:05:11 +0200 Subject: rework PTY magic to fix stair-stepping on kfreebsd A pty slave we have got from openpty can only be used for one dpkg child, if we give it to a second child on kfreebsd setting TIOCSCTTY fails causing the output to be stair-stepped from now on. By switching the code to creating a master and opening a new slave in the child for each child we can fix this glitch, so that at least the master remains stable. Closes: 759684 --- apt-pkg/deb/dpkgpm.cc | 159 +++++++++++++++++++++++++++++++++----------------- apt-pkg/deb/dpkgpm.h | 1 + 2 files changed, 107 insertions(+), 53 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index 5411d9ee8..04a13a86c 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -59,8 +59,8 @@ class pkgDPkgPMPrivate { public: pkgDPkgPMPrivate() : stdin_is_dev_null(false), dpkgbuf_pos(0), - term_out(NULL), history_out(NULL), - progress(NULL), master(-1), slave(-1) + term_out(NULL), history_out(NULL), + progress(NULL), master(-1), slave(NULL) { dpkgbuf[0] = '\0'; } @@ -77,9 +77,9 @@ public: APT::Progress::PackageManager *progress; // pty stuff - struct termios tt; + struct termios tt; int master; - int slave; + char * slave; // signals sigset_t sigmask; @@ -510,7 +510,7 @@ bool pkgDPkgPM::RunScriptsWithPkgs(const char *Cnf) return result; } /*}}}*/ -// DPkgPM::DoStdin - Read stdin and pass to slave pty /*{{{*/ +// DPkgPM::DoStdin - Read stdin and pass to master pty /*{{{*/ // --------------------------------------------------------------------- /* */ @@ -1051,60 +1051,127 @@ void pkgDPkgPM::StartPtyMagic() { if (_config->FindB("Dpkg::Use-Pty", true) == false) { - d->master = d->slave = -1; + d->master = -1; + if (d->slave != NULL) + free(d->slave); + d->slave = NULL; return; } - // setup the pty and stuff - struct winsize win; - + _error->PushToStack(); // if tcgetattr for both stdin/stdout returns 0 (no error) // we do the pty magic - _error->PushToStack(); - if (tcgetattr(STDIN_FILENO, &d->tt) == 0 && - tcgetattr(STDOUT_FILENO, &d->tt) == 0) + if (tcgetattr(STDOUT_FILENO, &d->tt) == 0 && + tcgetattr(STDIN_FILENO, &d->tt) == 0) { - if (ioctl(STDOUT_FILENO, TIOCGWINSZ, (char *)&win) < 0) - { - _error->Errno("ioctl", _("ioctl(TIOCGWINSZ) failed")); - } else if (openpty(&d->master, &d->slave, NULL, &d->tt, &win) < 0) - { - _error->Errno("openpty", _("Can not write log (%s)"), _("Is /dev/pts mounted?")); - d->master = d->slave = -1; - } else { - struct termios rtt; - rtt = d->tt; - cfmakeraw(&rtt); - rtt.c_lflag &= ~ECHO; - rtt.c_lflag |= ISIG; + d->master = posix_openpt(O_RDWR | O_NOCTTY); + if (d->master == -1) + _error->Errno("posix_openpt", _("Can not write log (%s)"), _("Is /dev/pts mounted?")); + else if (unlockpt(d->master) == -1) + { + _error->Errno("unlockpt", "Unlocking the slave of master fd %d failed!", d->master); + close(d->master); + d->master = -1; + } + else + { + char const * const slave_name = ptsname(d->master); + if (slave_name == NULL) + { + _error->Errno("unlockpt", "Getting name for slave of master fd %d failed!", d->master); + close(d->master); + d->master = -1; + } + else + { + d->slave = strdup(slave_name); + if (d->slave == NULL) + { + _error->Errno("strdup", "Copying name %s for slave of master fd %d failed!", slave_name, d->master); + close(d->master); + d->master = -1; + } + struct winsize win; + if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &win) < 0) + _error->Errno("ioctl", "Getting TIOCGWINSZ from stdout failed!"); + if (ioctl(d->master, TIOCSWINSZ, &win) < 0) + _error->Errno("ioctl", "Setting TIOCSWINSZ for master fd %d failed!", d->master); + if (tcsetattr(d->master, TCSANOW, &d->tt) == -1) + _error->Errno("tcsetattr", "Setting in Start via TCSANOW for master fd %d failed!", d->master); + + struct termios raw_tt; + raw_tt = d->tt; + cfmakeraw(&raw_tt); + raw_tt.c_lflag &= ~ECHO; + raw_tt.c_lflag |= ISIG; // block SIGTTOU during tcsetattr to prevent a hang if // the process is a member of the background process group // http://www.opengroup.org/onlinepubs/000095399/functions/tcsetattr.html sigemptyset(&d->sigmask); sigaddset(&d->sigmask, SIGTTOU); sigprocmask(SIG_BLOCK,&d->sigmask, &d->original_sigmask); - tcsetattr(0, TCSAFLUSH, &rtt); - sigprocmask(SIG_SETMASK, &d->original_sigmask, 0); - } + if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &raw_tt) == -1) + _error->Errno("tcsetattr", "Setting in Start via TCSAFLUSH for stdout failed!"); + sigprocmask(SIG_SETMASK, &d->original_sigmask, NULL); + } } - // complain only if stdout is either a terminal (but still failed) or is an invalid + } + else + { + // complain only if stdout is either a terminal (but still failed) or is an invalid // descriptor otherwise we would complain about redirection to e.g. /dev/null as well. - else if (isatty(STDOUT_FILENO) == 1 || errno == EBADF) - _error->Errno("tcgetattr", _("Can not write log (%s)"), _("Is stdout a terminal?")); + if (isatty(STDOUT_FILENO) == 1 || errno == EBADF) + _error->Errno("tcgetattr", _("Can not write log (%s)"), _("Is stdout a terminal?")); + } - if (_error->PendingError() == true) - _error->DumpErrors(std::cerr); - _error->RevertToStack(); + if (_error->PendingError() == true) + { + if (d->master != -1) + { + close(d->master); + d->master = -1; + } + _error->DumpErrors(std::cerr); + } + _error->RevertToStack(); } +void pkgDPkgPM::SetupSlavePtyMagic() +{ + if(d->master == -1) + return; + + if (close(d->master) == -1) + _error->FatalE("close", "Closing master %d in child failed!", d->master); + if (setsid() == -1) + _error->FatalE("setsid", "Starting a new session for child failed!"); + + int const slaveFd = open(d->slave, O_RDWR); + if (slaveFd == -1) + _error->FatalE("open", _("Can not write log (%s)"), _("Is /dev/pts mounted?")); + if (ioctl(slaveFd, TIOCSCTTY, 0) < 0) + _error->FatalE("ioctl", "Setting TIOCSCTTY for slave fd %d failed!", slaveFd); + else + { + for (unsigned short i = 0; i < 3; ++i) + if (dup2(slaveFd, i) == -1) + _error->FatalE("dup2", "Dupping %d to %d in child failed!", slaveFd, i); + + if (tcsetattr(0, TCSANOW, &d->tt) < 0) + _error->FatalE("tcsetattr", "Setting in Setup via TCSANOW for slave fd %d failed!", slaveFd); + } +} void pkgDPkgPM::StopPtyMagic() { - if(d->slave > 0) - close(d->slave); + if (d->slave != NULL) + free(d->slave); + d->slave = NULL; if(d->master >= 0) { - tcsetattr(0, TCSAFLUSH, &d->tt); + if (tcsetattr(0, TCSAFLUSH, &d->tt) == -1) + _error->FatalE("tcsetattr", "Setting in Stop via TCSAFLUSH for stdin failed!"); close(d->master); + d->master = -1; } } @@ -1416,22 +1483,8 @@ bool pkgDPkgPM::GoNoABIBreak(APT::Progress::PackageManager *progress) pid_t Child = ExecFork(KeepFDs); if (Child == 0) { - // This is the child - if(d->slave >= 0 && d->master >= 0) - { - setsid(); - int res = ioctl(d->slave, TIOCSCTTY, 0); - if (res < 0) { - std::cerr << "ioctl(TIOCSCTTY) failed for fd: " - << d->slave << std::endl; - } else { - close(d->master); - dup2(d->slave, 0); - dup2(d->slave, 1); - dup2(d->slave, 2); - close(d->slave); - } - } + // This is the child + SetupSlavePtyMagic(); close(fd[0]); // close the read end of the pipe dpkgChrootDirectory(); diff --git a/apt-pkg/deb/dpkgpm.h b/apt-pkg/deb/dpkgpm.h index 859c74b46..2c1805015 100644 --- a/apt-pkg/deb/dpkgpm.h +++ b/apt-pkg/deb/dpkgpm.h @@ -110,6 +110,7 @@ class pkgDPkgPM : public pkgPackageManager // helper void BuildPackagesProgressMap(); void StartPtyMagic(); + void SetupSlavePtyMagic(); void StopPtyMagic(); // input processing -- cgit v1.2.3 From d73fe42cf042fbc9d8d2b38eb67bd7efaa4be412 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 12 Sep 2014 11:44:11 +0200 Subject: Allow override of Proxy-Auto-Detect by the users configuration Only run the Proxy-Auto-Detect code if there is not already a host specific configuration. Closes: 759264 --- apt-pkg/contrib/proxy.cc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'apt-pkg') diff --git a/apt-pkg/contrib/proxy.cc b/apt-pkg/contrib/proxy.cc index b58db8478..0c753131d 100644 --- a/apt-pkg/contrib/proxy.cc +++ b/apt-pkg/contrib/proxy.cc @@ -26,6 +26,10 @@ bool AutoDetectProxy(URI &URL) // we support both http/https debug options bool Debug = _config->FindB("Debug::Acquire::"+URL.Access,false); + // the user already explicitly set a proxy for this host + if(_config->Find("Acquire::"+URL.Access+"::proxy::"+URL.Host, "") != "") + return true; + // option is "Acquire::http::Proxy-Auto-Detect" but we allow the old // name without the dash ("-") std::string AutoDetectProxyCmd = _config->Find("Acquire::"+URL.Access+"::Proxy-Auto-Detect", -- cgit v1.2.3 From ca7fd76c2f30c100dcf1c12e717ce397cccd690b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 16 Sep 2014 20:23:43 +0200 Subject: SECURITY UPDATE for CVE-2014-{0488,0487,0489} incorrect invalidating of unauthenticated data (CVE-2014-0488) incorect verification of 304 reply (CVE-2014-0487) incorrect verification of Acquire::Gzip indexes (CVE-2014-0489) --- apt-pkg/acquire-item.cc | 97 ++++++++++++++++++++++++++++++++++++----------- apt-pkg/acquire-item.h | 8 ++++ apt-pkg/contrib/fileutl.h | 2 + 3 files changed, 85 insertions(+), 22 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 6cb9b012a..058b8bf74 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1021,6 +1021,31 @@ void pkgAcqIndex::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*{{{*/ Item::Failed(Message,Cnf); } /*}}}*/ +// pkgAcqIndex::GetFinalFilename - Return the full final file path /*{{{*/ +std::string pkgAcqIndex::GetFinalFilename(std::string const &URI, + std::string const &compExt) +{ + std::string FinalFile = _config->FindDir("Dir::State::lists"); + FinalFile += URItoFileName(URI); + if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz") + FinalFile += ".gz"; + return FinalFile; +} + /*}}}*/ +// AcqIndex::ReverifyAfterIMS - Reverify index after an ims-hit /*{{{*/ +void pkgAcqIndex::ReverifyAfterIMS(std::string const &FileName) +{ + std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' ')); + if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz") + DestFile += ".gz"; + + string FinalFile = GetFinalFilename(RealURI, compExt); + Rename(FinalFile, FileName); + Decompression = true; + Desc.URI = "copy:" + FileName; + QueueURI(Desc); +} + /*}}}*/ // AcqIndex::Done - Finished a fetch /*{{{*/ // --------------------------------------------------------------------- /* This goes through a number of states.. On the initial fetch the @@ -1032,6 +1057,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, pkgAcquire::MethodConfig *Cfg) { Item::Done(Message,Size,Hash,Cfg); + std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' ')); if (Decompression == true) { @@ -1043,6 +1069,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, if (!ExpectedHash.empty() && ExpectedHash.toStr() != Hash) { + Desc.URI = RealURI; RenameOnError(HashSumMismatch); return; } @@ -1053,9 +1080,9 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, /* Always verify the index file for correctness (all indexes must * have a Package field) (LP: #346386) (Closes: #627642) */ - FileFd fd(DestFile, FileFd::ReadOnly); + FileFd fd(DestFile, FileFd::ReadOnlyGzip); // Only test for correctness if the file is not empty (empty is ok) - if (fd.FileSize() > 0) + if (fd.Size() > 0) { pkgTagSection sec; pkgTagFile tag(&fd); @@ -1069,8 +1096,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, } // Done, move it into position - string FinalFile = _config->FindDir("Dir::State::lists"); - FinalFile += URItoFileName(RealURI); + string FinalFile = GetFinalFilename(RealURI, compExt); Rename(DestFile,FinalFile); chmod(FinalFile.c_str(),0644); @@ -1078,7 +1104,9 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, will work OK */ DestFile = _config->FindDir("Dir::State::lists") + "partial/"; DestFile += URItoFileName(RealURI); - + if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz") + DestFile += ".gz"; + // Remove the compressed version. if (Erase == true) unlink(DestFile.c_str()); @@ -1094,7 +1122,10 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, { // The files timestamp matches if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true) - return; + { + ReverifyAfterIMS(FileName); + return; + } Decompression = true; Local = true; DestFile += ".decomp"; @@ -1111,15 +1142,12 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, ErrorText = "Method gave a blank filename"; } - std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' ')); - // The files timestamp matches - if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) { - if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz") - // Update DestFile for .gz suffix so that the clean operation keeps it - DestFile += ".gz"; + if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + { + ReverifyAfterIMS(FileName); return; - } + } if (FileName == DestFile) Erase = true; @@ -1128,16 +1156,16 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, string decompProg; - // If we enable compressed indexes and already have gzip, keep it - if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz" && !Local) { - string FinalFile = _config->FindDir("Dir::State::lists"); - FinalFile += URItoFileName(RealURI) + ".gz"; - Rename(DestFile,FinalFile); - chmod(FinalFile.c_str(),0644); - - // Update DestFile for .gz suffix so that the clean operation keeps it - DestFile = _config->FindDir("Dir::State::lists") + "partial/"; + // If we enable compressed indexes, queue for hash verification + if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz" && !Local) + { + DestFile = _config->FindDir("Dir::State::lists"); DestFile += URItoFileName(RealURI) + ".gz"; + + Decompression = true; + Desc.URI = "copy:" + FileName; + QueueURI(Desc); + return; } @@ -1181,6 +1209,9 @@ string pkgAcqIndexTrans::Custom600Headers() string Final = _config->FindDir("Dir::State::lists"); Final += URItoFileName(RealURI); + if (_config->FindB("Acquire::GzipIndexes",false)) + Final += ".gz"; + struct stat Buf; if (stat(Final.c_str(),&Buf) != 0) return "\nFail-Ignore: true\nIndex-File: true"; @@ -1510,6 +1541,28 @@ void pkgAcqMetaIndex::AuthDone(string Message) /*{{{*/ std::cerr << "Signature verification succeeded: " << DestFile << std::endl; + // do not trust any previously unverified content that we may have + string LastGoodSigFile = _config->FindDir("Dir::State::lists").append("partial/").append(URItoFileName(RealURI)); + if (DestFile != SigFile) + LastGoodSigFile.append(".gpg"); + LastGoodSigFile.append(".reverify"); + if(IMSHit == false && RealFileExists(LastGoodSigFile) == false) + { + for (vector ::const_iterator Target = IndexTargets->begin(); + Target != IndexTargets->end(); + ++Target) + { + // remove old indexes + std::string index = _config->FindDir("Dir::State::lists") + + URItoFileName((*Target)->URI); + unlink(index.c_str()); + // and also old gzipindexes + index += ".gz"; + unlink(index.c_str()); + } + } + + // Download further indexes with verification QueueIndexes(true); diff --git a/apt-pkg/acquire-item.h b/apt-pkg/acquire-item.h index 06537bf2c..384c5ee2b 100644 --- a/apt-pkg/acquire-item.h +++ b/apt-pkg/acquire-item.h @@ -706,6 +706,14 @@ class pkgAcqIndex : public pkgAcquire::Item */ std::string CompressionExtension; + /** \brief Get the full pathname of the final file for the given URI + */ + std::string GetFinalFilename(std::string const &URI, + std::string const &compExt); + + /** \brief Schedule file for verification after a IMS hit */ + void ReverifyAfterIMS(std::string const &FileName); + public: // Specialized action members diff --git a/apt-pkg/contrib/fileutl.h b/apt-pkg/contrib/fileutl.h index cc1a98eae..667057067 100644 --- a/apt-pkg/contrib/fileutl.h +++ b/apt-pkg/contrib/fileutl.h @@ -85,7 +85,9 @@ class FileFd bool Skip(unsigned long long To); bool Truncate(unsigned long long To); unsigned long long Tell(); + // the size of the file content (compressed files will be uncompressed first) unsigned long long Size(); + // the size of the file itself unsigned long long FileSize(); time_t ModificationTime(); -- cgit v1.2.3 From daff4aa356128310f022370f7825bdc369c66ba8 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 14:57:05 +0200 Subject: Fix regression for file:/// uris from CVE-2014-0487 Do not run ReverifyAfterIMS() for local file URIs as this will causes apt to mess around in the file:/// uri space. This is wrong in itself, but it will also cause a incorrect verification failure when the archive and the lists directory are on different partitions as rename(). --- apt-pkg/acquire-item.cc | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 058b8bf74..2ced65aa2 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1120,12 +1120,6 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, string FileName = LookupTag(Message,"Alt-Filename"); if (FileName.empty() == false) { - // The files timestamp matches - if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true) - { - ReverifyAfterIMS(FileName); - return; - } Decompression = true; Local = true; DestFile += ".decomp"; @@ -1142,18 +1136,18 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, ErrorText = "Method gave a blank filename"; } + if (FileName == DestFile) + Erase = true; + else + Local = true; + // The files timestamp matches - if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) { ReverifyAfterIMS(FileName); return; } - if (FileName == DestFile) - Erase = true; - else - Local = true; - string decompProg; // If we enable compressed indexes, queue for hash verification -- cgit v1.2.3 From 23d0a6fbee9e8880107481502e14411961c44a7b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 17:48:27 +0200 Subject: improve test for commit daff4a --- apt-pkg/acquire-item.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 2ced65aa2..5df43726b 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1141,13 +1141,14 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, else Local = true; - // The files timestamp matches + // The files timestamp matches, for non-local URLs reverify the local + // file, for local file, uncompress again to ensure the hashsum is still + // matching the Release file if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) { ReverifyAfterIMS(FileName); return; } - string decompProg; // If we enable compressed indexes, queue for hash verification -- cgit v1.2.3 From 801745284905e7962aa77a9f37a6b4e7fcdc19d0 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Sun, 21 Sep 2014 21:23:04 +0200 Subject: Fix regression for cdrom: sources from latest security update Skip a reverify for cdrom: sources. The reverify step is actually harmful here because the apt-cdrom add code uses the indexcopy.cc which will "normalize" the Packages file from the cdrom when it writes it to the local disk. This leads to changing the "MD5sum" field (notice the lower case "s") on the cdrom Packages file to a "MD5Sum" field on the local file in /var/lib/apt/lists. Which of course alters the hash and makes apt fail to reverify the file. --- apt-pkg/acquire-item.cc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'apt-pkg') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 5df43726b..36c0fa567 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1141,6 +1141,12 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, else Local = true; + // do not reverify cdrom sources as apt-cdrom may rewrite the Packages + // file when its doing the indexcopy + if (RealURI.substr(0,6) == "cdrom:" && + StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + return; + // The files timestamp matches, for non-local URLs reverify the local // file, for local file, uncompress again to ensure the hashsum is still // matching the Release file -- cgit v1.2.3 From d916e2a93b798e29d342e9498266767c5be8e2a5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Sun, 21 Sep 2014 21:40:10 +0200 Subject: Ensure that iTFRewritePackageOrder is "MD5sum" to match apt-ftparchive The iTFRewritePackageOrder is used in indexcopy to copy and normalize cdrom Packages files. This change will ensure that there is no "normalization" that changes MD5sum -> MD5Sum which alters the hash of the Packages file on disk (oh the irony). --- apt-pkg/tagfile.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'apt-pkg') diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc index 91d176e3c..bf865bdc4 100644 --- a/apt-pkg/tagfile.cc +++ b/apt-pkg/tagfile.cc @@ -526,7 +526,7 @@ static const char *iTFRewritePackageOrder[] = { "Conffiles", "Filename", "Size", - "MD5Sum", + "MD5sum", "SHA1", "SHA256", "SHA512", -- cgit v1.2.3