Add uvol_name to struct apk_file_info so it can be passed down
the extract callbacks in future work. Modify uvol name to not
include the path, but just the filename portion.
- apk_istream_splice usage is converted to apk_stream_copy which
is the newer variant. With caching enabled by default, this
makes more sense mmapping or using separate buffers.
- apk_istream_tee is reworked to write to apk_ostream, which simplifies
quite a bit of various things
Fix the script to not contain \x00 escape which was the only new
feature used.
Fix the meson build script to use given lua interpreter for running
the genhelp.lua.
Based on patch from Daniel Golle <daniel@makrotopia.org>
EVP_MD_CTX_set_pkey_ctx() is fairly new openssl function, and not
existing in many alternative. Use EVP_MD_CTX_reset() which is slightly
more heavy but more portable. Add also signature buffer lengths to
work with RSA.
Use of an AUTHORS section is strongly discouraged. Generally, it
is better not to clutter every page with a list of (over time
potentially numerous) authors.
Add your name to comments in sources, or the root level AUTHORS
file instead.
Improves compatibility with libressl, wolfssl and older openssl
libraries not having the flag. Usage of this is optional as it's
purely performance optimization related flag.
- basic digesting and signing apis (subject still to fine tuning)
- update digest code, and adb signing for the thin wrapping layer
- old v1 package and database handling not updated
- default mkpkg file hash to sha256
ref #10744
The progress bar requires the terminal emulator to support ANSI escape
sequences. Normally, TERM is set to dumb to indicate that the terminal
emulator doesn't support any ANSI escape sequences. Attempting to use
ANSI escape sequences on dumb terminals will lead to weird output. In
order to make apk work by default, even on dumb terminals, this commit
introduces an additional check which consults $TERM and disables the
progress bar if it is set to "dumb".
The original intent was to choose packages to which there is most
dependencies. However, since the code has evolved this is has been
mostly obsolete. And in fact now interferes with the provides and
provides priority mechanism. Remove this as obsolete.
Fixes#10742
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
apk_dir_foreach_file and apk_resolve_[ug]id needs to free the fd in
case fdopen/fdopendir fails. Additionally this does not rely on fdopen
to fail if openat() returned -1, making sure that we don't call any
syscalls with invalid file handle.
This commit fixes a regression which was introduced in changeset
646c834492. If apk_out_fmt() is called
while out->log is set and prefix is set to APK_OUT_LOG_ONLY, then
apk_out_fmt() would pass this prefix to log_internal() which would, in
turn, attempt to write it to standard out using fprintf().
Unfortunately, doing so wont work as intended if prefix is ((char*)-1)
(i.e. APK_OUT_LOG_ONLY) and will cause a segmentation fault instead.
This commit fixes this segmentation fault by not printing the prefix in
log_internal() if it is either NULL or APK_OUT_LOG_ONLY.