summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-12-07Fix CVE-2016-5434 (DoS/loop and out of boundary read)Nils Freydank1-4/+44
This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using functions instead of macros. (Thanks to Tobias for explanations of his patch.) A short question on Freenode IRC showed that macros are generally discouraged and functions should be used. The patch introduces a static size_t length_check() in libalpm/signing.c. [1] Original patch: https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html CVE request (and assignment): http://seclists.org/oss-sec/2016/q2/526 Signed-off-by: Allan McRae <allan@archlinux.org>
2017-12-07makepkg.conf: correct the documentation on the default optionsEli Schwartz2-4/+4
The documentation for OPTIONS and BUILDENV listed some incorrect defaults for undefined options. The defaults are implementation-defined in the source code for makepkg itself (e.g. it depends whether we use `check_option "opt" "y"` or `check_option "opt" "n"`) but were erroneously declared to be "whatever we *define* in the default makepkg.conf". Fixes FS#55754 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-12-07makepkg: implement error codesIvy Foster4-61/+158
For your convenience, makepkg now has 16 distinct ways to fail. Also closes FS#54204. Signed-off-by: Ivy Foster <iff@escondida.tk> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-12-07makepkg: clarify error when user passes -FIvy Foster1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2017-10-17libmakepkg: only output package file names when checking for build referencesAllan McRae1-1/+1
The leading directory is distraction from identifying the files containing build references. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-09-14Make the flags used for sed -i configurableAlastair Hughes3-8/+15
Not all sed implementations on linux accept the --follow-symlinks argument, so let the user configure the arguments passed to sed if required. Signed-off-by: Alastair Hughes <hobbitalastair@gmail.com> [Allan: fixed configure summary output] Signed-off-by: Allan McRae <allan@archlinux.org>
2017-09-14libmakepkg: grammar fixAllan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2017-09-13makepkg: respect $SOURCE_DATE_EPOCH to activate reproducible buildsEli Schwartz2-1/+28
If SOURCE_DATE_EPOCH is set, `touch` all source files between the (optional) prepare() and build() functions to unify the modification times. This works around build systems and compilers that embed the file modification times into the file contents of release artifacts. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-09-13libmakepkg: check for invalid tags in gitEli Schwartz1-1/+10
As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html git doesn't check that the tag name matches what an annotated tag object *thinks* it should be called. This is a bit of a theoretical attack and some would argue that we should always use commits since upstream can legitimately change a tag, but nevertheless this can result in a downgrade attack if the git download transport was manipulated or the upstream repository hacked. So, check the tag blob to make sure the tag actually matches the name we used for `git checkout`. This really should be fixed in git itself, rather than forcing all downstream users of git verify-tag to implement their own checks, but the git developers disagree, see the discussion surrounding https://public-inbox.org/git/xmqqk2hzldx8.fsf@gitster.mtv.corp.google.com/ Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-28Fix brace coding style issuesMichael Straube2-4/+5
- Add missing braces to one-line if blocks - Move opening brace to line end Signed-off-by: Michael Straube <straubem@gmx.de>
2017-07-28Fix coding style issue in pacman/util.cMichael Straube1-4/+8
Add missing braces to some one-line if blocks. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-11test/pacman: fix spelling of distribution name and another typoMichael Straube2-4/+4
Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-11clarify broken dependency error messagesAndrew Gregory1-5/+6
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-11provide command for downloading missing databasesAndrew Gregory1-2/+3
This is primarily to help users who are not aware that -F operations use a separate set of databases that need to be separately downloaded. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06alpm_list: abort on memory allocation failureAndrew Gregory1-5/+24
This makes it possible to detect a failure in several alpm_list functions. Previously these functions would continue after a failure, returning partial results and potentially leaking memory. Unfortunately, NULL is a valid return value for the affected functions if the input list is empty, so they still do not have a dedicated error value. Callers can at least detect an error by checking if the input list was empty. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06makepkg: add more information to .BUILDINFOLevente Polyak1-2/+10
The .BUILDINFO file should retain all the information needed to reproducibly build a package. Add some extra information to the file and also provide a version number to keep track of future changes. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06makepkg: set default value for PACKAGERAllan McRae1-7/+2
In write_pkginfo, we checked if $PACKAGER was undefined, and gave a default value if not. Just do this upfront to simplify this function. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06makepkg: always write pkgbaseAllan McRae1-3/+1
There is little savings in only writing pkgbase when different to pkgname, and it makes determining the pkgbase by parsing .PKGINFO slightly easier. Lets just write it... Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06makepkg: do not write baseverAllan McRae1-3/+0
Since 8a02abcf19, this attribute will never exist. Remove check to write it. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06libmakepkg: Fix improperly spelled local variable declarationEli Schwartz1-1/+1
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06libmakepkg/integrity: Fix error message not sent to stderrEli Schwartz1-1/+1
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06libmakepkg: fix unsanitized source filenamesEli Schwartz1-2/+2
There were a couple places where filenames beginning with "-" were not properly guarded against by passing them after "--". Some PKGBUILD authors are crazy, but we still take those into account. Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06fix typo in libalpm commentChristian Hesse1-1/+1
contatenate -> concatenate Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16makepkg: introduce SOURCE_DATE_EPOCHAllan McRae1-4/+9
This patch introduces the SOURCE_DATE_EPOCH environmental variable. All files in a package are adjusted to have their modification dates set to the value of SOURCE_DATE_EPOCH, which defaults to "date +%s". Setting this variable allows a package that is built twice in the same environment to be (potentially) reproducible in that the checksum of the generated package file will be the same. Also adjust the compression of the mtree file to avoid gzip embedding a timestamp. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2017-05-16makepkg: remove build date from .PKGINFO headerAllan McRae1-1/+0
This information is duplicated (in less friendly format) in the "builddate" entry and removing it improves reproducible packaging. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2017-05-16remove unused byte from user agent bufferAndrew Gregory1-1/+1
snprintf prints at most n bytes including the terminating '\0'. The extra reserved byte was never being used. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16check for overflow when setting HTTP_USER_AGENTAndrew Gregory1-1/+6
gcc7 issues a warning about a potential overflow if left unchecked. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16query_fileowner: avoid buffer overflowAndrew Gregory1-0/+1
Copying a string into a buffer that has just been determined to not be able to hold it is obviously incorrect. The actual error handling appears to have been unintentionally removed in 47762ab687959e48acc2de8592fcf3ba3cfa502b. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16alpm_unlock: check handle before dereferencingAndrew Gregory1-0/+1
Prevents SIGSEGV if we catch SIGINT or SIGHUP before initializing alpm. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08pacman.8: fix typo in query optionsMichael Straube1-1/+1
Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08free memory for --overwrite listsAndrew Gregory2-0/+2
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08add send_fakem to valgrind.suppAndrew Gregory1-0/+8
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08be_sync: error out if a db cannot be parsedAndrew Gregory1-5/+12
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08makepkg: create signature files outside of fakerootAllan McRae2-7/+36
With recent version of gpg, signing within fakeroot works on the first invocation, but fails on later runs. Sign all packages outside of fakeroot to avoid this issue. Fixes FS#49946. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-17makepkg: do not create symlinks in build directoryAllan McRae1-28/+0
Setting PKGDEST and friends enables us to keep all built packages in a single location. Symlinking these files into the build directory creates unnecessary clutter and requires clean-up in multiple places when removing old version. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-17makepkg: clean up pkgver and prepare log filesHEADworkingMichael Straube1-0/+6
Delete log files for the pkgver and prepare functions if -c,--clean is passed. Fixes FS#51039 and FS#51075 Includes patch submitted by Christian Braun. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-17run_chroot: label pipe endpoints for readabilityAndrew Gregory1-12/+17
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-17add --sysroot optionAndrew Gregory4-8/+32
--root is not sufficient to properly operate on a mounted guest system. Using --root still uses the host system's configuration and there is no way to correctly use the guest configuration without manually modifying any Include directives. --sysroot provides an easier way to operate on a guest system by chrooting immediately after option parsing before configuration parsing or performing any operations. It is currently limited to the root user, but that's enough for restoring a guest system to a working state, which is the primary intended use case. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-17use sockets for scriptlet/hook communicationAndrew Gregory1-13/+4
If a scriptlet/hook dies at the wrong moment it can trigger SIGPIPE, terminating the process. For pipes, there is no way to prevent SIGPIPE other than ignoring it process-wide. This can have unintended consequences in a multi-threaded process. Using send(2) with sockets, however, allows ignoring SIGPIPE on a per-call basis, leaving other threads able to make use of SIGPIPE. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-17conflict: include owner for filesystem conflictsAndrew Gregory4-7/+45
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-17unlink_file: strip trailing slashesAndrew Gregory3-1/+29
If the user replaces a directory with a symlink, libalpm would get confused because the trailing slash causes system calls to resolve the symlink. This leads to errors and a misleading message during upgrades. Even though libalpm does not support this, it should not be giving misleading errors. Also adds an overflow check. Fixes FS#51377 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16sortbydeps: rename vptr -> iAndrew Gregory1-5/+5
vptr is a simple list iterator, which are typically named i. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16sortbydeps: rename found -> switched_to_childAndrew Gregory1-4/+4
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16sortbydeps: factor out dep cycle warningAndrew Gregory1-33/+37
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16graph.h: rename childptr -> iteratorAndrew Gregory3-10/+10
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16graph.h: replace hardcoded values with an enumAndrew Gregory3-8/+14
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-12deprecate --force in favor of --overwriteAndrew Gregory2-9/+2
--force is widely misunderstood and the same effect can now be achieved with --overwrite, which is better named and can be used more safely. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-12add --overwrite option to ignore file conflictsAndrew Gregory12-4/+101
Allows for safer, more fine-grained control for overwriting files than --force's all-or-nothing approach. Implements FS#31549. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-12libalpm: Use archive_read_extract2Armin K1-1/+15
archive_read_extract() forces resolution of uid/gid to names when extracting the tarball. This can lead to wrong file ownership when using pacman with -r option and when uid/gid differ in the host and in the chroot. archive_read_extract2() uses uid's and gid's only. See also: https://lists.archlinux.org/pipermail/pacman-dev/2017-March/021912.html Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-04Replace @SIZECMD@ with POSIX-compatible commandDrew DeVault3-10/+5
Now uses wc -c $file | cut -d' ' -f1, which works using only POSIX commands and removes the need for any platform-specific usages. Signed-off-by: Drew DeVault <sir@cmpwn.com> Signed-off-by: Allan McRae <allan@archlinux.org>