1. 12 Apr, 2021 1 commit
    • Timo Teräs's avatar
      io_archive: add bounds limit for uname and gname tar header fields · f7143c17
      Timo Teräs authored
      Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
      proper length checking is done and honored.
      ==31584== Conditional jump or move depends on uninitialised value(s)
      ==31584==    at 0x5C8CA5: strlen (strlen.c:17)
      ==31584==    by 0x432575: APK_BLOB_STR (apk_blob.h:79)
      ==31584==    by 0x4350EB: apk_resolve_uid (io.c:1112)
      ==31584==    by 0x43696C: apk_tar_parse (io_archive.c:152)
      ==31584==    by 0x4271BC: apk_pkg_read (package.c:929)
      ==31584==    by 0x402D75: add_main (app_add.c:163)
      ==31584==    by 0x40D5FF: main (apk-static.c:516)
      Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
      Reported-by: Sören Tempel's avatarSören Tempel <soeren+git@soeren-tempel.net>
      Reviewed-by: Ariadne Conill's avatarAriadne Conill <ariadne@dereferenced.org>
  2. 11 Apr, 2021 1 commit
    • Timo Teräs's avatar
      io: fix fd leak in error handling paths · 4bcd7921
      Timo Teräs authored
      apk_dir_foreach_file and apk_resolve_[ug]id needs to free the fd in
      case fdopen/fdopendir fails. Additionally this does not rely on fdopen
      to fail if openat() returned -1, making sure that we don't call any
      syscalls with invalid file handle.
  3. 02 Apr, 2021 1 commit
    • Sören Tempel's avatar
      Fix segfault in log_internal if prefix is APK_OUT_LOG_ONLY · 1b954e41
      Sören Tempel authored
      This commit fixes a regression which was introduced in changeset
      646c8344. If apk_out_fmt() is called
      while out->log is set and prefix is set to APK_OUT_LOG_ONLY, then
      apk_out_fmt() would pass this prefix to log_internal() which would, in
      turn, attempt to write it to standard out using fprintf().
      Unfortunately, doing so wont work as intended if prefix is ((char*)-1)
      (i.e. APK_OUT_LOG_ONLY) and will cause a segmentation fault instead.
      This commit fixes this segmentation fault by not printing the prefix in
      log_internal() if it is either NULL or APK_OUT_LOG_ONLY.
  4. 19 Mar, 2021 3 commits
    • Drew DeVault's avatar
      Log to /var/log/apk.log · 646c8344
      Drew DeVault authored
      This adds a log file at /var/log/apk.log. On each run, apk's version
      information and the current date & time are written to this file,
      followed by any normal apk output.
    • Ariadne Conill's avatar
      database: do not chroot(".") unless actually necessary · 4fe5ac83
      Ariadne Conill authored
      If we use default root (/), then we do not have to chroot to run scripts.
      Use APK_NO_CHROOT flag for this scenario to avoid the chroot.  This helps
      with using apk with bwrap and OSTree.
      Closes #10736.
    • Timo Teräs's avatar
      del: report correctly package's provides names · 51162143
      Timo Teräs authored
      The code assumed that when package is in world, it would be there
      by it's primary name. The code is now updated to properly print the
      package names that are actually present in world.
      fixes #10718
  5. 16 Mar, 2021 1 commit
  6. 13 Mar, 2021 1 commit
    • Martin Vahlensieck's avatar
      Use correct port when redirected · 8e993fe9
      Martin Vahlensieck authored
      If server redirects from http to https, libfetch detects this, but
      wrongly uses the old url scheme to determine the port. This subsequently
      leads to the following OpenSSL error:
      139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
      Using the new scheme fixes this.  This error message comes from trying
      to connect to port 80 with TLS, it can also be observed by issuing
        $ openssl s_client -connect alpinelinux.org:80
      This bug was introduced in commit:
      7158474f libfetch: keep http auth only if redirect is for the same host
  7. 07 Feb, 2021 1 commit
  8. 04 Feb, 2021 3 commits
    • Timo Teräs's avatar
      db: consider control characters in filename as malicious · 1a4f2e94
      Timo Teräs authored
      Especially a newline can produce havoc in the database file as
      the filename is written there as-is. This hardenes the extraction
      to consider any control character as malicious. Additional
      hardening is added to database loading to better detect corrupt
      state and return proper error code about it.
      Reported-by: Luca Weiss's avatarLuca Weiss <luca@z3ntu.xyz>
    • Olliver Schinagl's avatar
      io: Handle really long lines · f6656f9d
      Olliver Schinagl authored
      While commit 18b0b45b
       (io: Handle long lines, Thu Jan 7 17:25:23 2021
      +0100) did attempt to address this issue, the buffer really is still to
      small when dealing with big-big dependency lists.
      Lets make it sufficiently large for now, until the new APKINDEX format
      can support multi-line dependencies, making this not needed any more.
      [TT: Originally the buffer size was conservative to run on resource
      constrained embedded platforms. But since the available memory on those
      has also increased much, the adjustment to 128kB makes sense also to
      increase performance a little bit. Removing also the iolimit test.]
      Signed-off-by: Olliver Schinagl's avatarOlliver Schinagl <oliver@schinagl.nl>
    • Timo Teräs's avatar
      gunzip: fix false end-of-file condition in rare circumstances · b43da45b
      Timo Teräs authored
      It turns out inflate() can output zero bytes, even if it consumed
      data. This had the unfortunate side effect of returning zero bytes
      (end-of-file) condition before calling the boundary callbacks. This
      fixes the logic to not return zero reads on gzip boundary.
      In practice this fixes the seldom seen issues of apk reporting
      bad signature (when it was correct).
  9. 27 Jan, 2021 1 commit
  10. 19 Jan, 2021 4 commits
    • Timo Teräs's avatar
      libfetch: harden URL parsing · bcbcbfc1
      Timo Teräs authored
      Treat URLs with too long individual components as malformed instead
      of silently truncating that field. There might be unexpected results
      if hostname, username or password field gets truncated.
    • Timo Teräs's avatar
      libfetch: fix connection pooling for proxied http/https requests · acca5cbf
      Timo Teräs authored
      The connection pooling was broken in two ways:
       1. The original URL was always used as the connection pool URL,
          resulting in duplicate connections to the proxy for http URLs
          (each http URL would get separate proxy connection)
       2. The cache_url stored was always the socket level connect URL.
          In case of HTTPS, the lookup was done done with the real URL,
          but the proxy URL was stored as the "cache URL". Thus HTTPS
          CONNECT connections were never re-used.
      This fixes the code with following logic:
       1. The cache key url is the real URL when no-proxy, or when HTTPS
          with proxy (the socket is connected to proxy, but logically it
          is connected to the real URL due to HTTP CONNECT request).
          And for HTTP with proxy, it's the proxy URL so same proxy
          connection can be reused for all requests going through it.
       2. fetch_connect() now gets cache key URL separately, and it always
          gets the same value as the fetch_cache_get() calls.
    • Timo Teräs's avatar
    • Conny Seifert's avatar
      libfetch: fix parsing of proxy response to CONNECT requests · 4087ab92
      Conny Seifert authored
      Instead of skipping just one line, properly parse the response headers.
      [TT: reworded commit message]
  11. 17 Jan, 2021 2 commits
  12. 14 Jan, 2021 1 commit
  13. 11 Jan, 2021 2 commits
  14. 08 Jan, 2021 1 commit
  15. 29 Dec, 2020 1 commit
  16. 11 Nov, 2020 1 commit
  17. 10 Nov, 2020 1 commit
  18. 09 Oct, 2020 14 commits