From 6484ed9849f03971eb48ee1fdc21a2f128247eb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Wed, 5 Sep 2018 19:49:22 +0300 Subject: rework unpacking of packages and harden package file format requirements A crafted .apk file could to trick apk writing unverified data to an unexpected file during temporary file creation due to bugs in handling long link target name and the way a regular file is extracted. Several hardening steps are implemented to avoid this: - the temporary file is now always first unlinked (apk thus reserved all filenames .apk.* to be it's working files) - the temporary file is after that created with O_EXCL to avoid races - the temporary file is no longer directly the archive entry name and thus directly controlled by potentially untrusted data - long file names and link target names are now rejected - hard link targets are now more rigorously checked - various additional checks added for the extraction process to error out early in case of malformed (or old legacy) file Reported-by: Max Justicz --- src/commit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/commit.c') diff --git a/src/commit.c b/src/commit.c index e82537f..ac6d7a5 100644 --- a/src/commit.c +++ b/src/commit.c @@ -232,8 +232,8 @@ static int run_commit_hook(void *ctx, int dirfd, const char *file) struct apk_database *db = hook->db; char fn[PATH_MAX], *argv[] = { fn, (char *) commit_hook_str[hook->type], NULL }; - if ((apk_flags & (APK_NO_SCRIPTS | APK_SIMULATE)) != 0) - return 0; + if (file[0] == '.') return 0; + if ((apk_flags & (APK_NO_SCRIPTS | APK_SIMULATE)) != 0) return 0; snprintf(fn, sizeof(fn), "etc/apk/commit_hooks.d" "/%s", file); if ((apk_flags & APK_NO_COMMIT_HOOKS) != 0) { -- cgit v1.2.3