1. 11 Jan, 2020 4 commits
  2. 18 Dec, 2019 1 commit
  3. 03 Jun, 2019 1 commit
  4. 13 Feb, 2019 2 commits
  5. 26 Oct, 2018 1 commit
  6. 10 Sep, 2018 1 commit
    • Timo Teräs's avatar
      rework unpacking of packages and harden package file format requirements · 6484ed98
      Timo Teräs authored
      A crafted .apk file could to trick apk writing unverified data to
      an unexpected file during temporary file creation due to bugs in handling
      long link target name and the way a regular file is extracted.
      
      Several hardening steps are implemented to avoid this:
       - the temporary file is now always first unlinked (apk thus reserved
         all filenames .apk.* to be it's working files)
       - the temporary file is after that created with O_EXCL to avoid races
       - the temporary file is no longer directly the archive entry name
         and thus directly controlled by potentially untrusted data
       - long file names and link target names are now rejected
       - hard link targets are now more rigorously checked
       - various additional checks added for the extraction process to
         error out early in case of malformed (or old legacy) file
      Reported-by: default avatarMax Justicz <max@justi.cz>
      6484ed98
  7. 14 Aug, 2018 1 commit
  8. 23 Aug, 2017 1 commit
  9. 26 Jun, 2017 1 commit
    • Timo Teräs's avatar
      tar: use standard header prefix · 677d3240
      Timo Teräs authored
      APKs have been created with GNU tar so far, which uses the
      GNU extensions for long names. In order to increase portability
      support the standard header's 'prefix' portion in case
      the GNU extensions are not present.
      677d3240
  10. 23 Jun, 2017 3 commits
  11. 05 Jan, 2017 1 commit
  12. 09 Feb, 2016 1 commit
  13. 09 Nov, 2015 1 commit
    • Timo Teräs's avatar
      io, database: preserve [am]time for cached and fetched files · cce4cff5
      Timo Teräs authored
      preserve [am]time for all packages and indexes. this fixes the caching
      error that 'apk update' is after new index is generated, but before
      the used mirror is synchronized. this caused local apkindex timestamp
      to be newer than file in mirror, when in fact it was outdated index.
      
      this also fixes fetched files to have build timestamp so that files
      going to .iso or custom images have proper timestamps (rsync with
      appropriate --modify-window now works)
      cce4cff5
  14. 17 Apr, 2015 3 commits
  15. 11 Mar, 2015 1 commit
  16. 10 Mar, 2015 2 commits
  17. 01 Nov, 2014 1 commit
  18. 20 Sep, 2013 1 commit
  19. 28 Jun, 2013 1 commit
  20. 17 Jun, 2013 1 commit
  21. 18 Apr, 2013 1 commit
  22. 13 Sep, 2011 1 commit
  23. 08 Oct, 2010 1 commit
  24. 23 Sep, 2010 1 commit
  25. 30 Aug, 2010 1 commit
  26. 12 Jun, 2010 1 commit
  27. 11 Jun, 2010 2 commits
  28. 21 Dec, 2009 1 commit
  29. 06 Nov, 2009 2 commits