apk-tools/src, branch 2.6-stable Alpine Package Keeper, the 2.x tree rework unpacking of packages and harden package file format requirements 2018-09-10T08:18:39+00:00 Timo Teräs timo.teras@iki.fi 2018-09-05T16:49:22+00:00 d2eb263642527d7b6c8c71042a994dcea368b632 A crafted .apk file could to trick apk writing unverified data to an unexpected file during temporary file creation due to bugs in handling long link target name and the way a regular file is extracted. Several hardening steps are implemented to avoid this: - the temporary file is now always first unlinked (apk thus reserved all filenames .apk.* to be it's working files) - the temporary file is after that created with O_EXCL to avoid races - the temporary file is no longer directly the archive entry name and thus directly controlled by potentially untrusted data - long file names and link target names are now rejected - hard link targets are now more rigorously checked - various additional checks added for the extraction process to error out early in case of malformed (or old legacy) file Reported-by: Max Justicz <max@justi.cz> (cherry picked from commit 6484ed9849f03971eb48ee1fdc21a2f128247eb1) 
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.

Several hardening steps are implemented to avoid this:
 - the temporary file is now always first unlinked (apk thus reserved
   all filenames .apk.* to be it's working files)
 - the temporary file is after that created with O_EXCL to avoid races
 - the temporary file is no longer directly the archive entry name
   and thus directly controlled by potentially untrusted data
 - long file names and link target names are now rejected
 - hard link targets are now more rigorously checked
 - various additional checks added for the extraction process to
   error out early in case of malformed (or old legacy) file

Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 6484ed9849f03971eb48ee1fdc21a2f128247eb1)
apk: sanitize return value 2018-09-06T11:47:02+00:00 Timo Teräs timo.teras@iki.fi 2018-09-05T07:21:22+00:00 d214c18ac51adb7317284f8f65173494cc726814 Most applets return whatever apk_solver_commit() returns. It is the number of errors found (or negative for hard error). Sanitize the error value to not give false success exit code in the unlikely case of errors % 256 == 0. Reported-by: Max Justicz <max@justi.cz> (cherry picked from commit 7b654e125461b00bc26e52b25e6a7be3a32c11b9) (cherry picked from commit 7c90fd0529c0358dd04cab0fce506e8a8b191506) 
Most applets return whatever apk_solver_commit() returns. It is the
number of errors found (or negative for hard error). Sanitize the
error value to not give false success exit code in the unlikely case
of errors % 256 == 0.

Reported-by: Max Justicz <max@justi.cz>
(cherry picked from commit 7b654e125461b00bc26e52b25e6a7be3a32c11b9)
(cherry picked from commit 7c90fd0529c0358dd04cab0fce506e8a8b191506)
archive: enable FIFO extraction 2018-09-06T11:46:28+00:00 Jesse Young jlyo@jlyo.org 2018-08-14T17:32:09+00:00 abe925f864e38a095ab26b0cbcb4b74d60d667ee (cherry picked from commit 1d55b9488f2d9c6d367fa7f21b058466c24f3ad1) 
(cherry picked from commit 1d55b9488f2d9c6d367fa7f21b058466c24f3ad1)
io: fix skip and splice to detect unexpected end-of-file 2018-09-06T11:45:23+00:00 Timo Teräs timo.teras@iki.fi 2017-10-12T10:35:46+00:00 70deb0aa595a9a45b0628738eb196666b8ac03f8 (cherry picked from commit 2f3c8420493a731556909eb3ebd6d50478fb7b24) 
(cherry picked from commit 2f3c8420493a731556909eb3ebd6d50478fb7b24)
tar: return correct error for short read of tar archive 2018-09-06T11:35:52+00:00 Timo Teräs timo.teras@iki.fi 2017-01-05T14:14:44+00:00 e48f441ed53744d24b3f745efccb8134e5abedb1 (cherry picked from commit ca368916e0333bf24cdcbdbe42130ec6a92c3f6e) 
(cherry picked from commit ca368916e0333bf24cdcbdbe42130ec6a92c3f6e)
archive: validate reading of pax and gnu long filename extensions 2017-06-23T07:03:20+00:00 Timo Teräs timo.teras@iki.fi 2017-06-21T12:25:18+00:00 cb5972fba80f3b3b97c4f816ffb368a03616c6a9 Detect properly if the file stream gets an error during these read operations. Reported-by: Ariel Zelivansky from Twistlock (cherry picked from commit cd531aef3033475c26f29a1f650a3bf392cc2daa) 
Detect properly if the file stream gets an error during these
read operations.

Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit cd531aef3033475c26f29a1f650a3bf392cc2daa)
archive: fix incorrect bounds checking for memory allocation 2017-06-23T07:03:16+00:00 Timo Teräs timo.teras@iki.fi 2017-06-21T12:12:02+00:00 285371126a44d50bf81fe7957560bc0c048d1fdb The value from tar header is unsigned int; keep it casted to unsigned int and size_t instead of (signed) int, otherwise the comparisons fail to do their job properly. Additionally check entry.size against SSIZE_MAX so the rounding up later on is guaranteed to not overflow. Fixes CVE-2017-9669 and CVE-2017-9671. Reported-by: Ariel Zelivansky from Twistlock (cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8) 
The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.

Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock

(cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
pkg: reset umask for package scripts 2016-08-23T11:21:16+00:00 Timo Teräs timo.teras@iki.fi 2016-08-23T11:21:16+00:00 0545fa0d355416e8a0144a2991fe7fe5490e9551 It is unreasonable to assume that all package writers would except to reset umask themselves. It's done currently in most packages, but we had first issue of this kind recently, so better just reset umask. 
It is unreasonable to assume that all package writers would except
to reset umask themselves. It's done currently in most packages,
but we had first issue of this kind recently, so better just reset
umask.
upgrade: improve self upgrade functionality a bit 2016-07-22T08:13:33+00:00 Timo Teräs timo.teras@iki.fi 2016-07-22T08:13:33+00:00 ac0a9659d1c86e9c0b4234a16486e084bcb0a555 trigger it only if apk-tools can be upgrade, add test cases 
trigger it only if apk-tools can be upgrade, add test cases
lua: remove unused reg_apk_db_meta_methods 2016-07-22T07:11:04+00:00 Timo Teräs timo.teras@iki.fi 2016-07-22T07:11:04+00:00 22434a5ff03db80f329c90fc628f3332f87698d4