While loading each package ensure that the internal version matches the
expected database version to avoid the possibility to circumvent the
version check.
This issue can be used by an attacker to trick the software into
installing an older version. The behavior can be exploited by a
man-in-the-middle attack through specially crafted database tarball
containing a higher version, yet actually delivering an older and
vulnerable version, which was previously shipped.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
If a sync database contains a "files" file, the file list will be read.
Currently, there is no known demand for the file list to be lazy loaded by
any libalpm frontend, so these files are read whenever present. Lazy loading
can be implemented when a demand exists.
Signed-off-by: Allan McRae <allan@archlinux.org>
This allows frontends to select between the .db and .files databases
currently supplied by repo-add or any other compatible database.
Signed-off-by: Allan McRae <allan@archlinux.org>
If a transaction is removing a package while ignoring all dependencies, there
should not be any warning about other packages optionally requiring it.
Signed-off-by: Allan McRae <allan@archlinux.org>
The change in commit 9d96bed9d6 causes download errors for the .db.sig file
in case the final URL for the .db file contains query strings or other
unexpected stuff. This commit isn't intended to be a total solution, but it
should eliminate the problem in the most obvious cases.
Signed-off-by: Allan McRae <allan@archlinux.org>
"return 0 on success, -1 on error (pm_errno is set accordingly)"
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Even if opening the log file fails, if a user has enabled syslog we may
still be able to log to that. Set the error return value and continue
instead of bailing out.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
valgrind does not like calling open(NULL, ...). This also makes the
return value 0 if logfile has not been set.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
clang is wrong - dbfile is always used initialized in that function.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
libalpm does not guarantee that script output will be presented to the
user or that stdin will be connected to a terminal. Close stdin so that
scripts do not attempt to use it for user interaction.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
In order to work properly, loading the filelist from an mtree file
requires a libarchive patch that has not yet been included in an
official release.[1] Under certain circumstances, an unpatched
libarchive may refuse to read the mtree file due to inconsistencies
between it and the user's file system. In order to allow alpm to
recover in this situation, read the mtree data into a temporary filelist
that is only copied over to the package if the entire read is
successful.
[1] 661684170b
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Allows entries to be added to arbitrary filelists not connected to
a package.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Paths from noupgrade, the transaction skip_remove, and package backup
lists were combined into a single list matched using fnmatch causing
paths with glob characters to match unrelated files.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
There was a lot of confusion regarding these warnings, particularly for
packages that create users post_install and then chown the directories.
Signed-off-by: Allan McRae <allan@archlinux.org>
If the call to alpm_logaction failed it would overwrite pm_errno,
leading to error messages unrelated to the actual reason the transaction
failed.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Prevents the need to rename the file if we end up keeping it and ensures
that pacnew files always reflect the most recent version by overwriting
stale copies.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Leave user files in place and save new config files with a .pacnew
extension. This reduces the complexity of file extraction and respects
the principle that pacman shouldn't modify files it didn't create.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
If an error occurs the actual path being extracted is more useful than
the original path from the package file list. The original path is
still used for checks that use it directly.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
alpm's database files (.INSTALL, .MTREE, etc.) should be extracted no
matter what; skip mtree/needbackup/noextract/noupgrade checks for them.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
This will allow pacman to parse its config file in a single pass and
removes the need for the *_SET siglevels in alpm that were only required
for pacman's siglevel inheritance.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
It was allocating the required size rather than the calculated new size,
resulting in pathological incremental reallocations.
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
The files_size variable contains the current capacity (in bytes) and
should not be used to calculate the next length increment. It only works
because _alpm_greedy_grow currently results in incremental growth.
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
_alpm_pkg_dup leaves the destination pointer unaltered in case of fatal
errors, so when commits 2f0ca00e and be4198b3 freed the pointer, they
fixed a memory leak on non-fatal errors by replacing it with
a segmentation fault on fatal errors.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
We can only get to cleanup: through fp being NULL due to fopen failing or
normal execution when fclose is called.
Signed-off-by: Allan McRae <allan@archlinux.org>