Make sure we always have valid struct apk_trust * for code using it.
Load the signing keys directly when being specified to produce
sane error message if loading them fails.
In most places where pointer can be an 'error' it cannot be null
pointer. Further, in those cases just calling PTR_ERR() is not enough
to handle the null case. Simplify code by removing this case.
If NULL case needs to be handled, it's better to add separate check
and return fixed error code in that case.
- check magic field for 'ustar' on read
- harden get_octal to report errors on non-octal characters
(e.g. GNU base256 encoding), fixes#10757
- fix mtime and size octal fields to not have zero terminator
Directories are handled specially in package installation code, but
extract applet uses also apk_extract_file() to create directories.
These should not be unlinked as that fails with unexpected error code
terminating the extraction.
This moves and isolates the tar code to tar.c. And the actual
file extraction to disk is moved to extract.c.
A new API is introduced and used for v2 file extraction. This
essentially moves and isolates the apk_sign_ctx_* beast into
extract_v2.c and offers a saner interface to handling packages.
A place holder is added for v3 extraction.
Packages containing files with path names longer than 1024 characters
cannot fit into the buffer which is used to write "installed" database.
This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because
apk_blob_push_blob notices the condition and correctly handles it.
The problem occurs when arguments to apk_ostream_write are manually
calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a
case, bbuf.ptr - buf leads to a huge size value while buf still points
into the stack.
fixes#10751
[TT: minor edit to commit and abbreviating the commit message]
If a signature is longer than max allowed adb signature length
then adb_walk_block writes out of boundary of stack variable tmp.
The len += snprintf is not safe per standard snprintf implementation
(kernel does it differently). Introduce and use apk_blob_push_fmt
which does the checking better.
Fixes#10752
Reported-by: Samanta Navarro <ferivoz@riseup.net>
Add uvol_name to struct apk_file_info so it can be passed down
the extract callbacks in future work. Modify uvol name to not
include the path, but just the filename portion.
- apk_istream_splice usage is converted to apk_stream_copy which
is the newer variant. With caching enabled by default, this
makes more sense mmapping or using separate buffers.
- apk_istream_tee is reworked to write to apk_ostream, which simplifies
quite a bit of various things
Fix the script to not contain \x00 escape which was the only new
feature used.
Fix the meson build script to use given lua interpreter for running
the genhelp.lua.
Based on patch from Daniel Golle <daniel@makrotopia.org>
EVP_MD_CTX_set_pkey_ctx() is fairly new openssl function, and not
existing in many alternative. Use EVP_MD_CTX_reset() which is slightly
more heavy but more portable. Add also signature buffer lengths to
work with RSA.
Improves compatibility with libressl, wolfssl and older openssl
libraries not having the flag. Usage of this is optional as it's
purely performance optimization related flag.
- basic digesting and signing apis (subject still to fine tuning)
- update digest code, and adb signing for the thin wrapping layer
- old v1 package and database handling not updated
- default mkpkg file hash to sha256
ref #10744
The progress bar requires the terminal emulator to support ANSI escape
sequences. Normally, TERM is set to dumb to indicate that the terminal
emulator doesn't support any ANSI escape sequences. Attempting to use
ANSI escape sequences on dumb terminals will lead to weird output. In
order to make apk work by default, even on dumb terminals, this commit
introduces an additional check which consults $TERM and disables the
progress bar if it is set to "dumb".
The original intent was to choose packages to which there is most
dependencies. However, since the code has evolved this is has been
mostly obsolete. And in fact now interferes with the provides and
provides priority mechanism. Remove this as obsolete.
Fixes#10742
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
apk_dir_foreach_file and apk_resolve_[ug]id needs to free the fd in
case fdopen/fdopendir fails. Additionally this does not rely on fdopen
to fail if openat() returned -1, making sure that we don't call any
syscalls with invalid file handle.
This commit fixes a regression which was introduced in changeset
646c834492. If apk_out_fmt() is called
while out->log is set and prefix is set to APK_OUT_LOG_ONLY, then
apk_out_fmt() would pass this prefix to log_internal() which would, in
turn, attempt to write it to standard out using fprintf().
Unfortunately, doing so wont work as intended if prefix is ((char*)-1)
(i.e. APK_OUT_LOG_ONLY) and will cause a segmentation fault instead.
This commit fixes this segmentation fault by not printing the prefix in
log_internal() if it is either NULL or APK_OUT_LOG_ONLY.
This adds a log file at /var/log/apk.log. On each run, apk's version
information and the current date & time are written to this file,
followed by any normal apk output.
If we use default root (/), then we do not have to chroot to run scripts.
Use APK_NO_CHROOT flag for this scenario to avoid the chroot. This helps
with using apk with bwrap and OSTree.
Closes#10736.
The code assumed that when package is in world, it would be there
by it's primary name. The code is now updated to properly print the
package names that are actually present in world.
fixes#10718
Especially a newline can produce havoc in the database file as
the filename is written there as-is. This hardenes the extraction
to consider any control character as malicious. Additional
hardening is added to database loading to better detect corrupt
state and return proper error code about it.
Reported-by: Luca Weiss <luca@z3ntu.xyz>
While commit 18b0b45 (io: Handle long lines, Thu Jan 7 17:25:23 2021
+0100) did attempt to address this issue, the buffer really is still to
small when dealing with big-big dependency lists.
Lets make it sufficiently large for now, until the new APKINDEX format
can support multi-line dependencies, making this not needed any more.
[TT: Originally the buffer size was conservative to run on resource
constrained embedded platforms. But since the available memory on those
has also increased much, the adjustment to 128kB makes sense also to
increase performance a little bit. Removing also the iolimit test.]
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
It turns out inflate() can output zero bytes, even if it consumed
data. This had the unfortunate side effect of returning zero bytes
(end-of-file) condition before calling the boundary callbacks. This
fixes the logic to not return zero reads on gzip boundary.
In practice this fixes the seldom seen issues of apk reporting
bad signature (when it was correct).
(De)initialization is deprecated under OpenSSL 1.0 and above.
[TT: Some simplifications, and additional edits.]
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Regression introduced by 0fb0d30 which makes parsing a description
a critical failure.
[TT: Minor stylistic change. Fix also missing final line change
from the earlier commit]
As an APKINDEX can become arbitrarely long due to dependencies and
other parameters, increasing the buffer size make this less likely
to happens.
Closes#10731.
The new v3 applets don't use it, and eventually all applets will
use the new formats only.
This prepares the code for this, and moves trust, id_cache, and
root_fd to apk_ctx which is enough for v3 applets at this time.
The generic code is made to not initialize apk_database if it's
not needed.
This is a flat buffers inspired format that allows fast
mmaped access to the data with low overhead, signature support
and relatively good forward support.
On some systems the `/var/` dir is mounted in a tmpfs which is reseted
after each reboot. For that reason no post-install script can handle the
creation of the cache dir at `/var/cache/apk`.
Check on database opnening if the folder is available, if not create it.
Fixes#10715
Signed-off-by: Paul Spooren <mail@aparcar.org>
It used to be relative to the --root specified root, but that
causes issues with relative command line filenames and is unintuitive.
Update documentation accordingly. Fixes#10702.
This uses some macro trickery to make sure that there's one-to-one
mapping with the option index enum and the descriptor. The down
side is that enum's are generated via #define's and editors might
not pick them up for auto completion, but the benefits are more:
it's no longer possible have mismatching enum value and descriptor
index, and the amount of source code lines is less.
This greatly helps with memory management on applications that
may want to daemonize and open/close database several times.
Also the lifetime and "owner" of memory for all data is now
explicitly bound to owning struct apk_database, which might
be helpful when writing language bindings. As side effect, the
interned "atoms" are unique only within what apk_database, so
comparing packages from different apk_database may not work
as expected.
Fixes#10697
When creating an index apk warns if a dependency is missing a provider.
However when using a multi-arch repository, it's not an error that
a certain architecture is missing a dependency because that dependency
could be in an other architecture. Since apk index doesn't know about
this, add an argument to disable that warning.
Maintainer note: rebased for new option handling, and minor stylistic
adjustments.
Signed-off-by: Fredrik Gustafsson <fredrigu@axis.com>
This reduces the number of relocations on PIE binaries, and also
reduces the executable size. Parsing of the options is slightly
sped up as only the exact matching option group parser is called.
This creates main help like:
--
usage: apk [<OPTIONS>...] COMMAND [<ARGUMENTS>...]
Package installation and removal:
add Add packages to WORLD and commit changes
del Remove packages from WORLD and commit changes
System maintenance:
fix Check WORLD against the system and ensure consistency
update Update repository indexes
upgrade Install upgrades available from repositories
cache Commands related to the management of an offline package cache
Querying package information:
info Give detailed information about packages or repositories
list List packages matching a pattern or other criteria
dot Generate graphviz graphs
policy Show repository policy for packages
Repository maintenance:
index Create repository index file from packages
fetch Download packages from global repositories to a local directory
manifest Show checksums of package contents
verify Verify package integrity and signature
Miscellaneous:
audit Audit directories for changes
stats Show statistics about repositories and installations
version Compare package versions or perform tests on version strings
This apk has coffee making abilities.
--
And applet specific help like:
--
usage: apk add [<OPTIONS>...] PACKAGES...
Description:
apk add adds the requested packages to WORLD and installs (or upgrades)
them if not already present, ensuring all dependencies are met.
Options:
--initdb Initialize a new package database
-l, --latest Disables normal heuristics for choosing which repository to install a
-u, --upgrade When adding packages which are already installed, upgrade them rather
-t, --virtual NAME
Instead of adding the specified packages to WORLD, create a new
--no-chown Do not change file owner or group
--
If apk is run as a non-root user, it's not possible to chown files.
Maintainers note: minor wording changes on commit log and man page.
Signed-off-by: Fredrik Gustafsson <fredrigu@axis.com>
We want to include via <apk/$headerfile> and not via <$headerfile>,
so we want to add an include statement for the dir the apk folder
which contains the headers is contained in.
Most notably this happens after blank database is initialized with --initdb,
but can happen also in other conditions.
The error checking changes modified behaviour if the file does not exist.
Explicitly check for ENOENT and ignore it. But the behaviour is improved
from earlier as now e.g. EPERM will be detected and reported correctly.
Fixes#10679
Fixes: 6da3e8eb15 "istream, archive, db: convert db and tar function to use istream"
Some screen size are quite small. For example, the default phosh
terminal is less than 50 character wide on Pinephone. This lowers the minimum
loading bar size to 25 characters.
For comparison, 25 character wide is just as wide as "apk add firefox
linux-lts" without the quotes.
Here's a bad picture to illustrate the result
gitlab.alpine.org/uploads/48c20f746fbf685b62b6bd73585ecbf2/pinephone-phosh.png