merge_options() will write one more entry to the options table
which is the end-of-table indicator. Allocate memory for it too.
valgrind did not pick it up due to being in stack; changing alloca
to malloc would make valgrind notice the issue too.
Reported-by: Mobile Stream <info@mobile-stream.com>
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
Most applets return whatever apk_solver_commit() returns. It is the
number of errors found (or negative for hard error). Sanitize the
error value to not give false success exit code in the unlikely case
of errors % 256 == 0.
Reported-by: Max Justicz <max@justi.cz>
It's common for a pre-install script to do something like
addgroup -S group 2>/dev/null
When apk installs files after this, it sets the owner/group based on id cache
but currently the id cache is stale and doesn't contain the new group at that
point: instead the file will be installed with gid that the build host
happened to have for that group -- on target this might mean a non-existing
group or a completely different group.
We can't know if the script really did modify id cache contents so make sure
to reset the id cache on every script execution.
Virtual packages have the origin pointer set to NULL. Trying to print it
using the BLOB_PRINTF macros causes a segmentation fault.
Inspired by the `print_origin_name` function from `src/search.c` this
commit attempts to fix it by checking whether `pkg->origin` is NULL
before attempting to print it. If it is NULL the pkg name is printed
instead.
Since printing the pkg name requires a different format string this
commit splits the printf call for printing the package line into
multiple ones. The output format shouldn't have changed at all though.
Run apk_solver_solve once with all args as dependencies instead of
running apk_solver_solve for each arg. This is neccesary so the
install_if calculation is done correctly.
During netboot on systems without RTC, time() will be near zero,
and the index fill not exist. Thus the plain test of st.st_mtime
against system time failed. Verify that fstatat() succeeds.
The list applet provides a convenient way of inspecting both the available
and installed package databases by listing their contents. In some ways,
it is similar to `apk search` but is considered to be a superset of
`apk search` functionality.
A few `apk list` criterion are not yet ready though, such as `apk list --depends`
which searches by runtime dependency (replacing `apk info --rdepends`).