-apt (0.9.7.8) UNRELEASED; urgency=low
+apt (0.9.7.9~exp3) UNRELEASED; urgency=low
+
++ [ Michael Vogt ]
+ * apt-pkg/sourcelist.cc:
+ - fix segfault when a hostname contains a [, thanks to
+ Tzafrir Cohen (closes: #704653)
+ * debian/control:
+ - replace manpages-it (closes: #704723)
+
- -- Michael Vogt <michael.vogt@ubuntu.com> Thu, 04 Apr 2013 18:21:06 +0200
++ [ Marc Deslauriers ]
++ * make apt-ftparchive generate missing deb-src hashes (LP: #1078697)
++
++ -- Michael Vogt <mvo@debian.org> Mon, 08 Apr 2013 08:43:21 +0200
+
+apt (0.9.7.9~exp2) experimental; urgency=low
+
+ [ Programs translations ]
+ * Update all PO files and apt-all.pot
+ * French translation completed (Christian Perrier)
+
+ [ Daniel Hartwig ]
+ * cmdline/apt-get.cc:
+ - do not have space between "-a" and option when cross building
+ (closes: #703792)
+ * test/integration/test-apt-get-download:
+ - fix test now that #1098752 is fixed
+ * po/{ca,cs,ru}.po:
+ - fix merge artifact
+
+ [ David Kalnischkies ]
+ * apt-pkg/indexcopy.cc:
+ - rename RunGPGV to ExecGPGV and move it to apt-pkg/contrib/gpgv.cc
+ * apt-pkg/contrib/gpgv.cc:
+ - ExecGPGV is a method which should never return, so mark it as such
+ and fix the inconsistency of returning in error cases
+ - don't close stdout/stderr if it is also the statusfd
+ - if ExecGPGV deals with a clear-signed file it will split this file
+ into data and signatures, pass it to gpgv for verification
+ - add method to open (maybe) clearsigned files transparently
+ * apt-pkg/acquire-item.cc:
+ - keep the last good InRelease file around just as we do it with
+ Release.gpg in case the new one we download isn't good for us
+ * apt-pkg/deb/debmetaindex.cc:
+ - reenable InRelease by default
+ * ftparchive/writer.cc,
+ apt-pkg/deb/debindexfile.cc,
+ apt-pkg/deb/deblistparser.cc:
+ - use OpenMaybeClearSignedFile to be free from detecting and
+ skipping clearsigning metadata in dsc and Release files
+
+ [ Michael Vogt ]
+ * add regression test for CVE-2013-1051
+ * implement GPGSplit() based on the idea from Ansgar Burchardt
+ (many thanks!)
+ * methods/connect.cc:
+ - use Errno() instead of strerror(), thanks to David Kalnischk
+ * doc/apt.conf.5.xml:
+ - document Acquire::ForceIPv{4,6}
+
+ -- Michael Vogt <mvo@debian.org> Wed, 03 Apr 2013 14:19:58 +0200
+
+apt (0.9.7.9~exp1) experimental; urgency=low
+
+ [ Niels Thykier ]
+ * test/libapt/assert.h, test/libapt/run-tests:
+ - exit with status 1 on test failure
+
+ [ Daniel Hartwig ]
+ * test/integration/framework:
+ - continue after test failure but preserve exit status
+
+ [ Programs translation updates ]
+ * Turkish (Mert Dirik). Closes: #703526
+
+ [ Colin Watson ]
+ * methods/connect.cc:
+ - provide useful error message in case of EAI_SYSTEM
+ (closes: #703603)
+
+ [ Michael Vogt ]
+ * add new config options "Acquire::ForceIPv4" and
+ "Acquire::ForceIPv6" to allow focing one or the other
+ (closes: #611891)
+ * lp:~mvo/apt/fix-tagfile-hash:
+ - fix false positives in pkgTagSection.Exists(), thanks to
+ Niels Thykier for the testcase (closes: #703240)
+ - this will require rebuilds of the clients as this used to
+ be a inline function
+
+ -- Michael Vogt <mvo@debian.org> Fri, 22 Mar 2013 21:57:08 +0100
+
+apt (0.9.7.8) unstable; urgency=criticial
+
+ * SECURITY UPDATE: InRelease verification bypass
+ - CVE-2013-1051
+
+ [ David Kalnischk ]
+ * apt-pkg/deb/debmetaindex.cc,
+ test/integration/test-bug-595691-empty-and-broken-archive-files,
+ test/integration/test-releasefile-verification:
+ - disable InRelease downloading until the verification issue is
+ fixed, thanks to Ansgar Burchardt for finding the flaw
+
+ -- Michael Vogt <mvo@debian.org> Thu, 14 Mar 2013 07:47:36 +0100
+
+apt (0.9.7.8~exp2) experimental; urgency=low
+
+ * include two missing patches to really fix bug #696225, thanks to
+ Guillem Jover
+ * ensure sha512 is really used when available, thanks to Tyler Hicks
+ (LP: #1098752)
+
+ -- Michael Vogt <mvo@debian.org> Fri, 01 Mar 2013 19:06:55 +0100
+
+apt (0.9.7.8~exp1) experimental; urgency=low
[ Manpages translation updates ]
* Italian (Beatrice Torracca). Closes: #696601
+ [ Programs translation updates ]
+ * Japanese (Kenshi Muto). Closes: #699783
+
[ Michael Vogt ]
* fix pkgProblemResolver::Scores, thanks to Paul Wise.
Closes: #697577
(LP: #1003633)
* apt-pkg/indexrecords.cc:
- support '\r' in the Release file
-
- [ Marc Deslauriers ]
- * make apt-ftparchive generate missing deb-src hashes (LP: #1078697)
- -- Christian Perrier <bubulle@debian.org> Mon, 24 Dec 2012 07:01:20 +0100
+ [ David Kalnischkies ]
+ * apt-pkg/depcache.cc:
+ - prefer to install packages which have an already installed M-A:same
+ sibling while choosing providers (LP: #1130419)
+
+ -- Michael Vogt <mvo@debian.org> Fri, 01 Mar 2013 14:16:42 +0100
apt (0.9.7.7) unstable; urgency=low
#include <apt-pkg/md5.h>
#include <apt-pkg/hashes.h>
#include <apt-pkg/deblistparser.h>
+#include <apt-pkg/fileutl.h>
+#include <apt-pkg/gpgv.h>
#include <sys/types.h>
#include <unistd.h>
// SourcesWriter::SourcesWriter - Constructor /*{{{*/
// ---------------------------------------------------------------------
/* */
- SourcesWriter::SourcesWriter(string const &BOverrides,string const &SOverrides,
- string const &ExtOverrides)
+ SourcesWriter::SourcesWriter(string const &DB, string const &BOverrides,string const &SOverrides,
+ string const &ExtOverrides) :
+ Db(DB), Stats(Db.Stats)
{
Output = stdout;
AddPattern("*.dsc");
DoMD5 = _config->FindB("APT::FTPArchive::Sources::MD5",DoMD5);
DoSHA1 = _config->FindB("APT::FTPArchive::Sources::SHA1",DoSHA1);
DoSHA256 = _config->FindB("APT::FTPArchive::Sources::SHA256",DoSHA256);
+ DoSHA512 = _config->FindB("APT::FTPArchive::Sources::SHA512",DoSHA512);
NoOverride = _config->FindB("APT::FTPArchive::NoOverrideMsg",false);
+ DoAlwaysStat = _config->FindB("APT::FTPArchive::AlwaysStat", false);
// Read the override file
if (BOverrides.empty() == false && BOver.ReadOverride(BOverrides) == false)
// ---------------------------------------------------------------------
/* */
bool SourcesWriter::DoPackage(string FileName)
-{
+{
// Open the archive
- FileFd F(FileName,FileFd::ReadOnly);
- if (_error->PendingError() == true)
+ FileFd F;
+ if (OpenMaybeClearSignedFile(FileName, F) == false)
return false;
-
- // Stat the file for later
- struct stat St;
- if (fstat(F.Fd(),&St) != 0)
- return _error->Errno("fstat","Failed to stat %s",FileName.c_str());
- if (St.st_size > 128*1024)
+ unsigned long long const FSize = F.FileSize();
+ //FIXME: do we really need to enforce a maximum size of the dsc file?
+ if (FSize > 128*1024)
return _error->Error("DSC file '%s' is too large!",FileName.c_str());
-
- if (BufSize < (unsigned long long)St.st_size+1)
+
+ if (BufSize < FSize + 2)
{
- BufSize = St.st_size+1;
- Buffer = (char *)realloc(Buffer,St.st_size+1);
+ BufSize = FSize + 2;
+ Buffer = (char *)realloc(Buffer , BufSize);
}
-
- if (F.Read(Buffer,St.st_size) == false)
+
+ if (F.Read(Buffer, FSize) == false)
return false;
+ // Stat the file for later (F might be clearsigned, so not F.FileSize())
+ struct stat St;
+ if (stat(FileName.c_str(), &St) != 0)
+ return _error->Errno("fstat","Failed to stat %s",FileName.c_str());
+
// Hash the file
char *Start = Buffer;
- char *BlkEnd = Buffer + St.st_size;
-
- MD5Summation MD5;
- SHA1Summation SHA1;
- SHA256Summation SHA256;
- SHA256Summation SHA512;
-
- if (DoMD5 == true)
- MD5.Add((unsigned char *)Start,BlkEnd - Start);
- if (DoSHA1 == true)
- SHA1.Add((unsigned char *)Start,BlkEnd - Start);
- if (DoSHA256 == true)
- SHA256.Add((unsigned char *)Start,BlkEnd - Start);
- if (DoSHA512 == true)
- SHA512.Add((unsigned char *)Start,BlkEnd - Start);
+ char *BlkEnd = Buffer + FSize;
- // Add an extra \n to the end, just in case
- *BlkEnd++ = '\n';
-
- /* Remove the PGP trailer. Some .dsc's have this without a blank line
- before */
- const char *Key = "-----BEGIN PGP SIGNATURE-----";
- for (char *MsgEnd = Start; MsgEnd < BlkEnd - strlen(Key) -1; MsgEnd++)
+ Hashes DscHashes;
+ if (FSize == (unsigned long long) St.st_size)
{
- if (*MsgEnd == '\n' && strncmp(MsgEnd+1,Key,strlen(Key)) == 0)
- {
- MsgEnd[1] = '\n';
- break;
- }
+ if (DoMD5 == true)
+ DscHashes.MD5.Add((unsigned char *)Start,BlkEnd - Start);
+ if (DoSHA1 == true)
+ DscHashes.SHA1.Add((unsigned char *)Start,BlkEnd - Start);
+ if (DoSHA256 == true)
+ DscHashes.SHA256.Add((unsigned char *)Start,BlkEnd - Start);
+ if (DoSHA512 == true)
+ DscHashes.SHA512.Add((unsigned char *)Start,BlkEnd - Start);
}
-
- /* Read records until we locate the Source record. This neatly skips the
- GPG header (which is RFC822 formed) without any trouble. */
- pkgTagSection Tags;
- do
+ else
{
- unsigned Pos;
- if (Tags.Scan(Start,BlkEnd - Start) == false)
- return _error->Error("Could not find a record in the DSC '%s'",FileName.c_str());
- if (Tags.Find("Source",Pos) == true)
- break;
- Start += Tags.size();
+ FileFd DscFile(FileName, FileFd::ReadOnly);
+ DscHashes.AddFD(DscFile, St.st_size, DoMD5, DoSHA1, DoSHA256, DoSHA512);
}
- while (1);
+
+ // Add extra \n to the end, just in case (as in clearsigned they are missing)
+ *BlkEnd++ = '\n';
+ *BlkEnd++ = '\n';
+
+ pkgTagSection Tags;
+ if (Tags.Scan(Start,BlkEnd - Start) == false || Tags.Exists("Source") == false)
+ return _error->Error("Could not find a record in the DSC '%s'",FileName.c_str());
Tags.Trim();
-
+
// Lookup the overide information, finding first the best priority.
string BestPrio;
string Bins = Tags.FindS("Binary");
string const strippedName = flNotDir(FileName);
std::ostringstream ostreamFiles;
if (DoMD5 == true && Tags.Exists("Files"))
- ostreamFiles << "\n " << string(MD5.Result()) << " " << St.st_size << " "
+ ostreamFiles << "\n " << string(DscHashes.MD5.Result()) << " " << St.st_size << " "
<< strippedName << "\n " << Tags.FindS("Files");
string const Files = ostreamFiles.str();
std::ostringstream ostreamSha1;
if (DoSHA1 == true && Tags.Exists("Checksums-Sha1"))
- ostreamSha1 << "\n " << string(SHA1.Result()) << " " << St.st_size << " "
+ ostreamSha1 << "\n " << string(DscHashes.SHA1.Result()) << " " << St.st_size << " "
<< strippedName << "\n " << Tags.FindS("Checksums-Sha1");
- string const ChecksumsSha1 = ostreamSha1.str();
std::ostringstream ostreamSha256;
if (DoSHA256 == true && Tags.Exists("Checksums-Sha256"))
- ostreamSha256 << "\n " << string(SHA256.Result()) << " " << St.st_size << " "
+ ostreamSha256 << "\n " << string(DscHashes.SHA256.Result()) << " " << St.st_size << " "
<< strippedName << "\n " << Tags.FindS("Checksums-Sha256");
- string const ChecksumsSha256 = ostreamSha256.str();
std::ostringstream ostreamSha512;
- if (Tags.Exists("Checksums-Sha512"))
+ if (DoSHA512 == true && Tags.Exists("Checksums-Sha512"))
- ostreamSha512 << "\n " << string(SHA512.Result()) << " " << St.st_size << " "
+ ostreamSha512 << "\n " << string(DscHashes.SHA512.Result()) << " " << St.st_size << " "
<< strippedName << "\n " << Tags.FindS("Checksums-Sha512");
- string const ChecksumsSha512 = ostreamSha512.str();
// Strip the DirStrip prefix from the FileName and add the PathPrefix
string NewFileName;
string Directory = flNotFile(OriginalPath);
string Package = Tags.FindS("Source");
- // Perform the delinking operation over all of the files
+ // Perform operation over all of the files
string ParseJnk;
const char *C = Files.c_str();
char *RealPath = NULL;
ParseQuoteWord(C,ParseJnk) == false ||
ParseQuoteWord(C,ParseJnk) == false)
return _error->Error("Error parsing file record");
-
- char Jnk[2];
+
string OriginalPath = Directory + ParseJnk;
+
+ // Add missing hashes to source files
+ if ((DoSHA1 == true && !Tags.Exists("Checksums-Sha1")) ||
+ (DoSHA256 == true && !Tags.Exists("Checksums-Sha256")) ||
+ (DoSHA512 == true && !Tags.Exists("Checksums-Sha512")))
+ {
+ if (Db.GetFileInfo(OriginalPath, false, false, false, DoMD5, DoSHA1, DoSHA256, DoSHA512, DoAlwaysStat)
+ == false)
+ {
+ return _error->Error("Error getting file info");
+ }
+
+ if (DoSHA1 == true && !Tags.Exists("Checksums-Sha1"))
+ ostreamSha1 << "\n " << string(Db.SHA1Res) << " "
+ << Db.GetFileSize() << " " << ParseJnk;
+
+ if (DoSHA256 == true && !Tags.Exists("Checksums-Sha256"))
+ ostreamSha256 << "\n " << string(Db.SHA256Res) << " "
+ << Db.GetFileSize() << " " << ParseJnk;
+
+ if (DoSHA512 == true && !Tags.Exists("Checksums-Sha512"))
+ ostreamSha512 << "\n " << string(Db.SHA512Res) << " "
+ << Db.GetFileSize() << " " << ParseJnk;
+ }
+
+ // Perform the delinking operation
+ char Jnk[2];
+
if (readlink(OriginalPath.c_str(),Jnk,sizeof(Jnk)) != -1 &&
(RealPath = realpath(OriginalPath.c_str(),NULL)) != 0)
{
if (Directory.length() > 2)
Directory.erase(Directory.end()-1);
+ string const ChecksumsSha1 = ostreamSha1.str();
+ string const ChecksumsSha256 = ostreamSha256.str();
+ string const ChecksumsSha512 = ostreamSha512.str();
+
// This lists all the changes to the fields we are going to make.
// (5 hardcoded + checksums + maintainer + end marker)
TFRewriteData Changes[5+2+1+SOverItem->FieldOverride.size()+1];
Stats.Packages++;
- return true;
+ return Db.Finish();
}
/*}}}*/
projects / apt.git / commitdiff
