A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.

Several hardening steps are implemented to avoid this:
 - the temporary file is now always first unlinked (apk thus reserved
   all filenames .apk.* to be it's working files)
 - the temporary file is after that created with O_EXCL to avoid races
 - the temporary file is no longer directly the archive entry name
   and thus directly controlled by potentially untrusted data
 - long file names and link target names are now rejected
 - hard link targets are now more rigorously checked
 - various additional checks added for the extraction process to
   error out early in case of malformed (or old legacy) file

Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 6484ed98)