Olliver Schinagl authored 4 years ago and Timo Teräs committed 3 years ago

While commit 18b0b45b (io: Handle long lines, Thu Jan 7 17:25:23 2021
+0100) did attempt to address this issue, the buffer really is still to
small when dealing with big-big dependency lists.

Lets make it sufficiently large for now, until the new APKINDEX format
can support multi-line dependencies, making this not needed any more.

[TT: Originally the buffer size was conservative to run on resource
constrained embedded platforms. But since the available memory on those
has also increased much, the adjustment to 128kB makes sense also to
increase performance a little bit. Backported to 2.10-stable.]

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>

Unbreak handling of base 16 in fetch_parseuint(). It is used
only in http chunked mode handling.

Fixes: "libfetch: fix range checking for http/ftp protocol parsing"

Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>

Samanta Navarro authored 3 years ago and Timo Teräs committed 3 years ago

Packages containing files with path names longer than 1024 characters
cannot fit into the buffer which is used to write "installed" database.
This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because
apk_blob_push_blob notices the condition and correctly handles it.

The problem occurs when arguments to apk_ostream_write are manually
calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a
case, bbuf.ptr - buf leads to a huge size value while buf still points
into the stack.

fixes #10751

[TT: minor edit to commit and abbreviating the commit message]

removes some code duplication

Sören Tempel authored 3 years ago and Timo Teräs committed 3 years ago

The progress bar requires the terminal emulator to support ANSI escape
sequences. Normally, TERM is set to dumb to indicate that the terminal
emulator doesn't support any ANSI escape sequences. Attempting to use
ANSI escape sequences on dumb terminals will lead to weird output. In
order to make apk work by default, even on dumb terminals, this commit
introduces an additional check which consults $TERM and disables the
progress bar if it is set to "dumb".

[TT: backported to 2.12]

The original intent was to choose packages to which there is most
dependencies. However, since the code has evolved this is has been
mostly obsolete. And in fact now interferes with the provides and
provides priority mechanism. Remove this as obsolete.

Fixes #10742

Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.

==31584== Conditional jump or move depends on uninitialised value(s)
==31584==    at 0x5C8CA5: strlen (strlen.c:17)
==31584==    by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584==    by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584==    by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584==    by 0x4271BC: apk_pkg_read (package.c:929)
==31584==    by 0x402D75: add_main (app_add.c:163)
==31584==    by 0x40D5FF: main (apk-static.c:516)

Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.

Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>

apk_dir_foreach_file and apk_resolve_[ug]id needs to free the fd in
case fdopen/fdopendir fails. Additionally this does not rely on fdopen
to fail if openat() returned -1, making sure that we don't call any
syscalls with invalid file handle.

(cherry picked from commit 3c339a74)

Ariadne Conill authored 4 years ago and Timo Teräs committed 3 years ago

If we use default root (/), then we do not have to chroot to run scripts.
Use APK_NO_CHROOT flag for this scenario to avoid the chroot.  This helps
with using apk with bwrap and OSTree.

Closes #10736.

[TT: backported to 2.12-stable]

(cherry picked from commit 73504fb7)

The code assumed that when package is in world, it would be there
by it's primary name. The code is now updated to properly print the
package names that are actually present in world.

fixes #10718

(cherry picked from commit ff0ea826)

fixes #10738

(cherry picked from commit 358c3172)

Martin Vahlensieck authored 4 years ago and Timo Teräs committed 3 years ago

If server redirects from http to https, libfetch detects this, but
wrongly uses the old url scheme to determine the port. This subsequently
leads to the following OpenSSL error:

139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

Using the new scheme fixes this.  This error message comes from trying
to connect to port 80 with TLS, it can also be observed by issuing
  $ openssl s_client -connect alpinelinux.org:80

This bug was introduced in commit:
7158474f libfetch: keep http auth only if redirect is for the same host

(cherry picked from commit 63d05ee4)

fixes #10737

(cherry picked from commit ab7b8e3c)

Especially a newline can produce havoc in the database file as
the filename is written there as-is. This hardenes the extraction
to consider any control character as malicious. Additional
hardening is added to database loading to better detect corrupt
state and return proper error code about it.

Reported-by: Luca Weiss <luca@z3ntu.xyz>

(backported from commit c1594f60)

Treat URLs with too long individual components as malformed instead
of silently truncating that field. There might be unexpected results
if hostname, username or password field gets truncated.

(cherry picked from commit 5edd60a4)

The connection pooling was broken in two ways:

 1. The original URL was always used as the connection pool URL,
    resulting in duplicate connections to the proxy for http URLs
    (each http URL would get separate proxy connection)

 2. The cache_url stored was always the socket level connect URL.
    In case of HTTPS, the lookup was done done with the real URL,
    but the proxy URL was stored as the "cache URL". Thus HTTPS
    CONNECT connections were never re-used.

This fixes the code with following logic:

 1. The cache key url is the real URL when no-proxy, or when HTTPS
    with proxy (the socket is connected to proxy, but logically it
    is connected to the real URL due to HTTP CONNECT request).
    And for HTTP with proxy, it's the proxy URL so same proxy
    connection can be reused for all requests going through it.

 2. fetch_connect() now gets cache key URL separately, and it always
    gets the same value as the fetch_cache_get() calls.

(cherry picked from commit aa1f935c)

fixes #10734

(cherry picked from commit c37b385b)

Conny Seifert authored 4 years ago and Timo Teräs committed 3 years ago

Instead of skipping just one line, properly parse the response headers.

[TT: reworded commit message]

(cherry picked from commit b1935a1e)

Mike Detwiler authored 4 years ago and Timo Teräs committed 3 years ago

Signed-off-by: Mike Detwiler <det@shift5.io>
(cherry picked from commit d438cdfb)

Alex Denes authored 4 years ago and Timo Teräs committed 3 years ago

(cherry picked from commit 3890035c)

fixes #10688

(cherry picked from commit 7158474f)

Paul Spooren authored 4 years ago and Timo Teräs committed 3 years ago

On some systems the `/var/` dir is mounted in a tmpfs which is reseted
after each reboot. For that reason no post-install script can handle the
creation of the cache dir at `/var/cache/apk`.

Check on database opnening if the folder is available, if not create it.
Fixes #10715

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit dac30d50)

fixes #10710

(cherry picked from commit 6cedfe27)

fixes #10703

(cherry picked from commit 8a794021)

(cherry picked from commit c269e9c2)

Ariadne Conill authored 4 years ago and Timo Teräs committed 3 years ago

If getservbyname() fails, libfetch will attempt to connect to port 0.

(cherry picked from commit ffcdd350)

Fixes #10686 to not use uninitialized value in the error paths.

(cherry picked from commit 7b76182f)

Fix comparing of the hostname portion that matches exactly.
The no_proxy matching is pretty rudimentary though and probably
could go through a bit of additional rework.

Fixes #10681

(cherry picked from commit d6c54f93)

- split the code to a helper function
- do not set sockets to corked state when putting back to
  cache so socket state is always deterministic
- cork/uncork also when sending CONNECT to a proxy, this
  can reduce a little bit the latency how fast the packet
  gets sent out
- also pair corking with uncorking in http_request to make
  it more obvious pairing

(cherry picked from commit eae92bba)

Alex Wauck authored 5 years ago and Timo Teräs committed 3 years ago

The recent TCP_CORK change missed this bit of code.  This change
should improve performance a bit when making HTTP requests by calling
http_cmd only once instead of three times.

(cherry picked from commit 09dbe46a)

(cherry picked from commit b879d9ea)

(cherry picked from commit 2d864114)

Antoine Fontaine authored 5 years ago and Timo Teräs committed 3 years ago

Some screen size are quite small. For example, the default phosh
terminal is less than 50 character wide on Pinephone. This lowers the minimum
loading bar size to 25 characters.

For comparison, 25 character wide is just as wide as "apk add firefox
linux-lts" without the quotes.

Here's a bad picture to illustrate the result
gitlab.alpine.org/uploads/48c20f746fbf685b62b6bd73585ecbf2/pinephone-phosh.png

(cherry picked from commit e8522411)

TBK authored 5 years ago and Timo Teräs committed 3 years ago

fixes #10677

src/apk_defines.h:152:15: error: unknown type name 'uint32_t'
 static inline uint32_t get_unaligned32(const void *ptr)
               ^~~~~~~~

(cherry picked from commit a9916c2d)