Compare commits

...

13 Commits

Author SHA1 Message Date
Ariadne Conill 20db9ffcbe cli: if --exists is specified, require the full dependency graph to validate 2023-01-22 10:46:27 +00:00
Ariadne Conill 5436648cd4 pkgconf 1.8.1. 2023-01-22 10:02:10 +00:00
Ariadne Conill 66046df940 libpkgconf 1.8.1 2023-01-22 10:01:42 +00:00
Ariadne Conill 81e1785db2 add NEWS for 1.8.1 2023-01-22 10:01:23 +00:00
wi24rd 2b850d2648 Update sum value of types of property. 2023-01-22 09:59:37 +00:00
Eli Schwartz c87a6c2ec1 meson: remove useless command that isn't needed
The tests/*.sh are executable in the source tree, and don't need to be
chmodded after being copied to the build tree.
2023-01-22 09:58:55 +00:00
Doug Freed 1f282295ff doc: update libpkgconf-pkg docs to match 2023-01-22 09:57:45 +00:00
Ariadne Conill e3957c6155 tests: fix test regressions caused by tilde changes 2023-01-22 09:57:39 +00:00
Doug Freed f58d54e77b pkg: make pkgconf_compare_version consistent
The code taken from rpmvercmp in pkg-config returns -1 if a is less than
b, 0 if a is equal to b, and 1 if a is greater than b. This matches the
expectations of the comparison operators that use this function.
However, the tilde handling, the NULL handling, and the docstring all do
the opposite.

This fixes the tilde handling, the NULL handling, and the docstring to
match the behavior of the rpmvercmp code and the expectations of the
comparison operators.
2023-01-22 09:57:34 +00:00
Timo Röhling 2837bbcc4c Ignore whitespace indentation
Fixes #265
2023-01-22 09:57:29 +00:00
Ariadne Conill 0b5f360bce tests: add regression test for billion-laughs 2023-01-22 09:57:08 +00:00
Ariadne Conill 81cc9b3e6d tuple: test for, and stop string processing, on truncation
otherwise a buffer overflow occurs.
this has been a bug in pkgconf since the beginning, it seems.
instead of disclosing the bug correctly, a "hotshot" developer
decided to blog about it instead.  sigh.

https://nullprogram.com/blog/2023/01/18/
2023-01-22 09:55:45 +00:00
Ariadne Conill 4b0264de8b add billion-laughs test fixture 2023-01-22 09:53:49 +00:00
15 changed files with 82 additions and 24 deletions

View File

@ -22,6 +22,7 @@ EXTRA_DIST = pkg.m4 \
libpkgconf/win-dirent.h \
tests/lib-relocatable/lib/pkgconfig/foo.pc \
tests/lib1/argv-parse-2.pc \
tests/lib1/billion-laughs.pc \
tests/lib1/dos-lineendings.pc \
tests/lib1/paren-quoting.pc \
tests/lib1/argv-parse-3.pc \

8
NEWS
View File

@ -1,6 +1,14 @@
Changes from previous version of pkgconf
========================================
Changes from 1.8.0 to 1.8.1:
----------------------------
* Fix a buffer overflow vulnerability involving very large variable expansions.
CVE-2023-24056
* Fix handling of tildes in version strings.
Changes from 1.7.4 to 1.8.0:
----------------------------

View File

@ -1039,6 +1039,9 @@ main(int argc, char *argv[])
if ((want_flags & PKG_STATIC) == PKG_STATIC || personality->want_default_static)
want_client_flags |= (PKGCONF_PKG_PKGF_SEARCH_PRIVATE | PKGCONF_PKG_PKGF_MERGE_PRIVATE_FRAGMENTS);
if ((want_flags & PKG_EXISTS) == PKG_EXISTS)
want_client_flags |= PKGCONF_PKG_PKGF_SEARCH_PRIVATE;
if ((want_flags & PKG_SHARED) == PKG_SHARED)
want_client_flags &= ~(PKGCONF_PKG_PKGF_SEARCH_PRIVATE | PKGCONF_PKG_PKGF_MERGE_PRIVATE_FRAGMENTS);

View File

@ -12,7 +12,7 @@ dnl implied. In no event shall the authors be liable for any damages arising
dnl from the use of this software.
AC_PREREQ([2.68])
AC_INIT([pkgconf], [1.8.0], [https://github.com/pkgconf/pkgconf/issues/new])
AC_INIT([pkgconf], [1.8.1], [https://github.com/pkgconf/pkgconf/issues/new])
AC_CONFIG_SRCDIR([cli/main.c])
AC_CONFIG_MACRO_DIR([m4])
AX_CHECK_COMPILE_FLAG([-Wall], [CFLAGS="$CFLAGS -Wall"])

View File

@ -76,7 +76,7 @@ routines.
:param char* a: The first version to compare in the pair.
:param char* b: The second version to compare in the pair.
:return: -1 if the first version is greater, 0 if both versions are equal, 1 if the second version is greater.
:return: -1 if the first version is less than, 0 if both versions are equal, 1 if the second version is less than.
:rtype: int
.. c:function:: pkgconf_pkg_t *pkgconf_builtin_pkg_get(const char *name)

View File

@ -78,8 +78,8 @@ typedef struct pkgconf_cross_personality_ pkgconf_cross_personality_t;
#define PKGCONF_FOREACH_LIST_ENTRY_REVERSE(tail, value) \
for ((value) = (tail); (value) != NULL; (value) = (value)->prev)
#define LIBPKGCONF_VERSION 10700
#define LIBPKGCONF_VERSION_STR "1.7.0"
#define LIBPKGCONF_VERSION 10801
#define LIBPKGCONF_VERSION_STR "1.8.1"
struct pkgconf_fragment_ {
pkgconf_node_t iter;

View File

@ -44,10 +44,18 @@ pkgconf_parser_parse(FILE *f, void *data, const pkgconf_parser_operand_func_t *o
lineno++;
p = readbuf;
while (*p && isspace((unsigned int)*p))
p++;
if (*p && p != readbuf)
{
warnfunc(data, "%s:" SIZE_FMT_SPECIFIER ": warning: whitespace encountered while parsing key section\n",
filename, lineno);
warned_key_whitespace = true;
}
key = p;
while (*p && (isalpha((unsigned int)*p) || isdigit((unsigned int)*p) || *p == '_' || *p == '.'))
p++;
key = readbuf;
if (!isalpha((unsigned int)*key) && !isdigit((unsigned int)*p))
continue;
@ -89,7 +97,6 @@ pkgconf_parser_parse(FILE *f, void *data, const pkgconf_parser_operand_func_t *o
*p = '\0';
p--;
}
if (ops[(unsigned char) op])
ops[(unsigned char) op](data, lineno, key, value);
}

View File

@ -798,7 +798,7 @@ out:
*
* :param char* a: The first version to compare in the pair.
* :param char* b: The second version to compare in the pair.
* :return: -1 if the first version is greater, 0 if both versions are equal, 1 if the second version is greater.
* :return: -1 if the first version is less than, 0 if both versions are equal, 1 if the second version is less than.
* :rtype: int
*/
int
@ -813,10 +813,10 @@ pkgconf_compare_version(const char *a, const char *b)
/* optimization: if version matches then it's the same version. */
if (a == NULL)
return 1;
return -1;
if (b == NULL)
return -1;
return 1;
if (!strcasecmp(a, b))
return 0;
@ -837,9 +837,9 @@ pkgconf_compare_version(const char *a, const char *b)
if (*one == '~' || *two == '~')
{
if (*one != '~')
return -1;
if (*two != '~')
return 1;
if (*two != '~')
return -1;
one++;
two++;

View File

@ -293,12 +293,23 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
}
}
PKGCONF_TRACE(client, "lookup tuple %s", varname);
size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
ptr += (pptr - ptr);
kv = pkgconf_tuple_find_global(client, varname);
if (kv != NULL)
{
strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
bptr += strlen(kv);
size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
if (nlen > remain)
{
pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
bptr = buf + (PKGCONF_BUFSIZE - 1);
break;
}
bptr += nlen;
}
else
{
@ -306,12 +317,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
if (kv != NULL)
{
size_t nlen;
parsekv = pkgconf_tuple_parse(client, vars, kv);
strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
bptr += strlen(parsekv);
nlen = pkgconf_strlcpy(bptr, parsekv, remain);
free(parsekv);
if (nlen > remain)
{
pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
bptr = buf + (PKGCONF_BUFSIZE - 1);
break;
}
bptr += nlen;
}
}
}

View File

@ -36,7 +36,7 @@ Properties are set using RFC822-style stanzas which consist of a keyword, follow
by a colon (:) and then the value the property should be set to.
Variable substitution is always performed regardless of property type.
.Pp
There are two types of property:
There are three types of property:
.\"
.Bl -tag -width indent
.\"

View File

@ -1,5 +1,5 @@
project('pkgconf', 'c',
version : '1.8.0',
version : '1.8.1',
license : 'ISC',
meson_version : '>=0.47')
@ -107,4 +107,4 @@ install_man('man/pc.5')
install_man('man/pkgconf-personality.5')
install_data('pkg.m4', install_dir: 'share/aclocal')
install_data('AUTHORS', install_dir: 'share/doc/pkgconf')
install_data('README.md', install_dir: 'share/doc/pkgconf')
install_data('README.md', install_dir: 'share/doc/pkgconf')

View File

@ -176,7 +176,7 @@ exists_version_bad3_body()
export PKG_CONFIG_PATH="${selfdir}/lib1"
atf_check \
-s exit:1 \
pkgconf --exists 'tilde <= 1.0.0'
pkgconf --exists 'tilde >= 1.0.0'
}
exists_body()
@ -190,7 +190,7 @@ exists2_body()
{
export PKG_CONFIG_PATH="${selfdir}/lib1"
atf_check \
pkgconf --exists 'tilde >= 1.0.0'
pkgconf --exists 'tilde <= 1.0.0'
}
exists3_body()

View File

@ -0,0 +1,13 @@
v9=lol
v8=${v9}${v9}${v9}${v9}${v9}${v9}${v9}${v9}${v9}${v9}
v7=${v8}${v8}${v8}${v8}${v8}${v8}${v8}${v8}${v8}${v8}
v6=${v7}${v7}${v7}${v7}${v7}${v7}${v7}${v7}${v7}${v7}
v5=${v6}${v6}${v6}${v6}${v6}${v6}${v6}${v6}${v6}${v6}
v4=${v5}${v5}${v5}${v5}${v5}${v5}${v5}${v5}${v5}${v5}
v3=${v4}${v4}${v4}${v4}${v4}${v4}${v4}${v4}${v4}${v4}
v2=${v3}${v3}${v3}${v3}${v3}${v3}${v3}${v3}${v3}${v3}
v1=${v2}${v2}${v2}${v2}${v2}${v2}${v2}${v2}${v2}${v2}
v0=${v1}${v1}${v1}${v1}${v1}${v1}${v1}${v1}${v1}${v1}
Name: One Billion Laughs
Version: ${v0}
Description: Don't install this!

View File

@ -19,5 +19,4 @@ tests = [
# yuck
foreach test : tests
configure_file(input: test + '.sh', output: test, copy: true)
run_command('chmod', '755', join_paths(meson.build_root(), 'tests', test))
endforeach

View File

@ -28,7 +28,8 @@ tests_init \
malformed_1 \
malformed_quoting \
explicit_sysroot \
empty_tuple
empty_tuple \
billion_laughs
# sysroot_munge \
@ -251,3 +252,9 @@ empty_tuple_body()
atf_check -o inline:"\n" \
pkgconf --with-path="${selfdir}/lib1" --cflags empty-tuple
}
billion_laughs_body()
{
atf_check -o inline:"warning: truncating very long variable to 64KB\nwarning: truncating very long variable to 64KB\nwarning: truncating very long variable to 64KB\nwarning: truncating very long variable to 64KB\nwarning: truncating very long variable to 64KB\n" \
pkgconf --with-path="${selfdir}/lib1" --validate billion-laughs
}