summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-03-01Sanitize file name received from Content-Disposition headerAndrew Gregory
When installing a remote package with "pacman -U <url>", pacman renames the downloaded package file to match the name given in the Content-Disposition header. However, pacman does not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a content-disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. For example, a malicious package-hosting server (or a network man-in-the-middle, if downloading over HTTP) could serve the following header: Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook and pacman would move the downloaded file to /usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would later fail, unable to find the downloaded package in the cache directory, but the hook file would remain in place. The commands in the malicious hook would then be run (as root) the next time any package is installed. Discovered-by: Adam Suhl <asuhl@mit.edu> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-02-07libalpm: prevent 301 redirect loop from hanging the processMark Ulrich
If a mirror responds with a 301 redirect to itself, it will create an infinite redirect loop. This will cause pacman to hang, unresponsive to even a SIGINT. The result is pacman being unable to sync or download any package from a particular repo if its current mirror is stuck in a redirect loop. Setting libcurl's MAXREDIRS option effectively prevents a redirect loop from hanging the process. Signed-off-by: Mark Ulrich <mark.ulrich.86@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-02-04fix various typosmorganamilo
Signed-off-by: morganamilo <morganamilo@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-21libalpm: fix minor typo in _alpm_db_usage_morganamilo
Signed-off-by: morganamilo <morganamilo@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-10libalpm/sync.c: change alpm_sync_newversion() to alpm_sync_get_new_version()Allan McRae
The behaviour of "pacman -Qu" was very strange... It would only consider packages from repos with Usage = Search (or All), and ignore those with Usage = Sync, Install or Upgrade. This is because the function alpm_sync_newversion() used ALPM_DB_USAGE_SEARCH for its filtering. Given this function is documented (at least in the source) to "Check for new version of pkg in sync repos", I would expect that to look at all repos. However, just changing this parameter, would result in a fairly silent change in behaviour of this function. Instead, rename the function and remove this filtering altogether. Users of this function can filter the dbs passed to this function to achieve their desired output. Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-10be_local.c: remove aligment in local_pkg_opsAllan McRae
The alignment was not overly helpful and caused unnecessary churn when a new value with longer name was added. Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-10libalpm: parse {check, make}depends when reading databasemorganamilo
Commit 0994893b0e6b627d45a63884ac01af7d0967eff2 added the alpm_pkg_get_{make,check}depends functions but forgot to include logic for parsing these fields from the database. As a result these functions will always return an empty list. This commit adds the parsing logic. Signed-off-by: morganamilo <morganamilo@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-04libalpm/add.c: move assignment into conditional in alpm_add_pkgMichael Straube
While at it and for consistency move the assignment of the variable 'local' into the subsequent conditional. Signed-off-by: Michael Straube <michael.straube@posteo.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-04Move skipping of duplicate sync/remove targets into libalpmMichael Straube
sync: As pointed out by Andrew Gregory there could be an error when adding duplicates if they are two separate packages with the same name. Add a check in alpm_add_pkg() to test whether the duplicate is actually the same package, and if so, log a debug message and return success to skip the package. If the duplicate is a different package return ALPM_ERR_TRANS_DUP_TARGET and treat that error just like any other error in pacman. remove: Change alpm_remove_pkg() to just log a debug message and return success to skip duplicates. Remove the handling of ALPM_ERR_TRANS_DUP_TARGET in pacman. Also fixes FS#49377. Suggested-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Michael Straube <michael.straube@posteo.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-01-04silence warning when built without curlAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-12-10check localdb before upgrading packageAndrew Gregory
Commit 2ee7a8d89ad693617307260604e1d58757fd2978 replaced a manual check for a local package with a check for the "oldpkg" member, which gets set at the beginning of the transaction. If the package was also in the remove list, such as when a package gets replaced, it would no longer be in the local db and pacman would try to remove it twice, resulting in superfluous error messages. Fixes: FS#50875, FS#55534 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-11-27require actual siglevel for defaultAndrew Gregory
ALPM_SIG_USE_DEFAULT does not refer to an actual siglevel, rather it indicates that the global default should be used in place of the operation-specific one. Setting this value for the global default itself makes no sense. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-11-27always allow explicit empty siglevel for sync dbsAndrew Gregory
An empty siglevel does not do any signature verification which is exactly what we want when compiled without gpg support. This is already allowed in other parts of the codebase and required for the test suite to pass when compiled without gpg support. Fixes: FS#60880 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-11-27add specific error for missing gpg supportAndrew Gregory
"wrong or NULL argument passed" is a useless error for end users. Fixes FS#60880. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-11-02Add meson.build files to build with mesonDave Reisner
Provide both build systems in parallel for now, to ensure that we work out all the differences between the two. Some time from now, we'll give up on autotools. Meson tends to be faster and probably easier to read/maintain. On my machine, the full meson configure+build+install takes a little under half as long as a similar autotools-based invocation. Building with meson is a two step process. First, configure the build: meson build Then, compile the project: ninja -C build There's some mild differences in functionality between meson and autotools. specifically: 1) No singular update-po target. meson only generates individual update-po targets for each textdomain (of which we have 3). To make this easier, there's a build-aux/update-po script which finds all update-po targets and runs them. 2) No 'make dist' equivalent. Just run 'git archive' to generate a suitable tarball for distribution.
2018-10-21handle EINTR while polling scripts/hooksAndrew Gregory
If poll() is interrupted by a signal, alpm was closing the socket it uses for listening to script/hook output. This would drop script output at the least and kill the script at the worst. Fixes FS#60396 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-10-21reset signal handlers before running scripts/hooksAndrew Gregory
Front-ends or libraries may set signals to be ignored, which gets inherited across fork and exec. This can cause scripts to malfunction if they expect the signal. To make matters worse, scripts written in bash can't reset signals that were ignored when bash was started. Fixes FS#56756 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-10-20libalpm: process needed before group selectionmorganamilo
When --needed is used, up to date packages are now filtered out before showing the group select. Fixes FS#22870. Signed-off-by: morganamilo <morganamilo@gmail.com>
2018-10-17alpm: Fix SIGINT handling re: aborting downloadOlivier Brunel
Upon receiving SIGINT a flag is set to abort the (curl) download. However, since it was never reset/initialized, if a front-end doesn't actually exit on SIGINT, and later tries any operation that needs to perform a new download, said download would always get aborted right away due to the flag not having been reset.
2018-10-17alpm: Do not raise SIGINT when filesize goes over limitOlivier Brunel
Variable dload_interrupted is used both to abort a download because SIGINT was caught, and when a file limit is reached. But raising SIGINT is only meant to happen in the first case. Signed-off-by: Olivier Brunel <jjk@jjacky.com>
2018-09-19User-visible log when validity check fails due to accessDavid Phillips
Currently, if checking the validity of packages fails due to an access error on one or more packages, the user must sift through debug output in order to find the culprit package(s). This patch adds a call to _alpm_log in such a case to make the culprits more easily visible. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-09-19Change if-else chain to switchDavid Phillips
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-08-10Remove the last traces of the pacman --force optionAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-08-10libalpm/dload.c: add case for CURLE_COULDNT_RESOLVE_HOSTMichael Straube
Add a case for curl error 'Could not resolve host'. An attempt to fix FS#48285. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-08-10libalpm: ignore .hook suffix when sorting hooksJouke Witteveen
It is desirable to have 'a-post.hook' ordered after 'a.hook'. For this, it is needed to ignore the suffix when sorting. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-07-27Pull updated translations from TransifexAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-07-27Handle root prefix in overwrite operationsAllan McRae
The pacman --overwrite operation currently expects a path without the root prefix specified. This is unexpected, particularly given our conflict error message reports the path with the root prefix included. This patch allows libalpm to overwrite files with the root prefix specified. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-06-18libalpm/dload.c: fix filename in license headerMichael Straube
The filename in the license header did not match the actual filename as in the other files. Hopefully this is not too nit-picky. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-05-28Pull updated translations from TransifexAllan McRae
Also remove any translations that are less than 75% complete. These will be readded once translation completion passes our minimum threshold. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-05-15Pull translations from Transifex and regenerateAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-05-14Remove all modelines from the projectEli Schwartz
Many of these are pointless (e.g. there is no need to explicitly turn on spellchecking and language dictionaries for the manpages by default). The only useful modelines are the ones enforcing the project coding standards for indentation style (and "maybe" filetype/syntax, but everything except the asciidoc manpages and makepkg.conf is already autodetected), and indent style can be applied more easily with .editorconfig Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-05-12Fix gcc8 warnings.Eli Schwartz
Attempting to compile pacman with gcc8 results in several warnings like: remove.c: In function ‘unlink_file.isra.4’: remove.c:407:34: warning: ‘.pacsave.’ directive output may be truncated writing 9 bytes into a region of size between 1 and 4096 [-Wformat-truncation=] Fix by adding checks to error out if snprintf tries to reserve a truncated filename. Because the return values are checked, gcc delegates the truncation response to our code instead of throwing warnings. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-04-30add missing newline to error messageAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-04-29Initial translation preparation for pacman-5.1Allan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-04-29Import updated translations from TransifexAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-04-29Update POTFILES.inAllan McRae
Add all files to the relevant POTFILES.in. This avoids missing translations added to old files. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-04-29libalpm.pc: migrate to Requires.privateEli Schwartz
pkg-config has built-in dependency handling, but we currently insert the raw $LIBS into libalpm's own linker flags and fail to handle Cflags at all. For dependencies which support pkg-config, simply use that instead. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14Update coyrights for 2018Allan McRae
make update-copyright OLD=2017 NEW=201 Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14hooks: Complain if hook parameters are overwritten. Fixed 2 space leaks.Stefan Klinger
Signed-off-by: Stefan Klinger <git@stefan-klinger.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-11Support new OpenPGP format packets lengthsAllan McRae
RFC 4880 defines two packet formats for OpenPGP. Pacman aborted its key in keyring check with an error message if it encountered the new format. This was fine until some annoying Arch Trusted User generated a key using the new format! Implement the new format. This also required parsing the hashed sub packets. requiring the parsing code to moved to its own function. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-10add missing newline to debug messageAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-10detect pkghash allocation failureAndrew Gregory
If rehash ever failed with a full hash it would return the old hash that is already full. get_hash_position would then loop forever because it would never find an empty bucket. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-10Do not continuously try to open an invalid databaseAllan McRae
If you manage to download a bad database (e.g. an html file when behind a proxy or with a badly configured webserver), pacman makes sure you know about it. Here is some example output: error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format I don't know how many times that gets printed because it goes beyond my scrollback buffer. Flag a database that we can "open" and "fstat" but not read from as invalid to avoid this. Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-06do not rely on name hashes for matchingAndrew Gregory
6cfc4757b98e813428d261dbc185e20618ca83a6 was overzealous in attempting to optimize away a call to strcmp based on a comparison of hashes. The call can be skipped if the hashes are different, but different strings could have the same hash. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-06dload: ensure callback is always initialized onceAndrew Gregory
Frontends rely on an initialization call for setup between downloads. Checking for intialization after checking for a completed download can skip initialization in cases where files are small enough to be downloaded all at once (FS#56408). Relying on previous download size can result in multiple initializations if there are multiple non-transfer events prior to the download starting (fS#56468). Introduce a new cb_initialized variable to the payload struct and use it to ensure that the callback is initialized exactly once prior to any actual events. Fixes FS#56408, FS#56468 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-06avoid printing NULL stringAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-12-07Fix CVE-2016-5434 (DoS/loop and out of boundary read)Nils Freydank
This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using functions instead of macros. (Thanks to Tobias for explanations of his patch.) A short question on Freenode IRC showed that macros are generally discouraged and functions should be used. The patch introduces a static size_t length_check() in libalpm/signing.c. [1] Original patch: https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html CVE request (and assignment): http://seclists.org/oss-sec/2016/q2/526 Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-28Fix brace coding style issuesMichael Straube
- Add missing braces to one-line if blocks - Move opening brace to line end Signed-off-by: Michael Straube <straubem@gmx.de>
2017-07-06alpm_list: abort on memory allocation failureAndrew Gregory
This makes it possible to detect a failure in several alpm_list functions. Previously these functions would continue after a failure, returning partial results and potentially leaking memory. Unfortunately, NULL is a valid return value for the affected functions if the input list is empty, so they still do not have a dedicated error value. Callers can at least detect an error by checking if the input list was empty. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06fix typo in libalpm commentChristian Hesse
contatenate -> concatenate Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>