| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- Tedious but straightforward conversion to use the API instead
of going to the struct directly.
- Remove digest.h includes where no longer necessary
|
|
|
|
|
|
|
|
- Doesn't make for less lines in this case but unifying the accesses
is good anyway.
|
|
- Hide allocation inside the helper, automatically free on failure
- Return pointer to the signature parameters on success to simplify
life for callers
- Don't bother checking or reporting the signature version: the
pgp parser errors out if it encounters unsupported version and
does not scrible anything to the version field in that case,
mumbling about "V0 signatures" is not particularly helpful.
- Log the bad package names from rpmpkgReadHeader() too
|
|
- Return a pointer to the signature part on success, hide allocation
(and free on failure) in the helper. Makes life a little bit
saner for the callers and limits the places where we access
the full pgpDig further.
|
|
- pgpVerifySig() is now just a dumb wrapper around pgpVerifySignature()
which does the real work.
- Update the sole caller to use the new interface instead, deprecate
the old dig interface.
- First steps towards getting rig of pgpDig which always was a
strange creature and now is nothing but a nuisance and obfuscation.
Yes keys and signatures walk hand in hand much of the time, but
they come from different sources and want to be handled as
separate data really.
|
|
- stashKeyid() only wants the signature, not the whole dig
- dig argument to readFile() was simply unused
|
|
|
|
- Eliminate bogus size calculations: we have a buffer of td->count size
that may or may not contain legal OpenPGP signature. Leave it up to
pgpPrtPkts() to validate & figure it out and check its return code instead,
eliminating need to repeat a bunch of tedious calculations here.
- Use non-zero signature version is used as a hint for valid signature,
should be "close enough" for the rest of the code.
|
|
readlink() never terminates the buffer.
Detected by "cppcheck" (git HEAD)
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
|
|
- String array size calculation could read one byte past data end
pointer when expected count and number of \0's disagree (ie invalid data)
due to while condition side-effects + bounds checking being in
the inner loop.
- Lift the string length calculation to inline helper function, used for
both string and string array types.
- Streamline the calculations:
- Eliminate unnecessary length increments, calculate the length
from pointer distance
- Eliminate end pointer NULL checking within the loop: when caller
doesn't supply end pointer, cap to HEADER_MAX_DATA (ie 16MB),
anything larger would trip up in later hdrchkData() checks anyway.
- Avoid the off-by-one by eliminating the problematic inner loop.
|
|
- Offset being within the data area doesn't help if the actual data doesn't
fit. Since the trailer size is well known, we can just as easily
make the check accurate to prevent reading beyond end of data in case
the offset is subtly wrong.
- In headerLoad(), region offset of zero doesn't need sanity checking,
only validate if its something else and do so accurately there too.
|
|
- Pretrans-dependencies are twisty little beasts unlike anything else...
When a pretrans-dependency provider is updated, the currently installed
version is the provider for that transaction, unlike others where
the packages from installing set act as providers for updates. So
when looking up pretrans deps, we must not prune the to-be-erased
packages from the db match iterators. As an added twist, we also
must not cache these non-pruned cases as it would mess up the
cache for "regular" dependencies.
- Fixes this case reported on fedora-devel:
http://lists.fedoraproject.org/pipermail/devel/2011-October/158058.html
|
|
|
|
- headerVerify() always returns with a message even for OK results,
which was masking the error message from headerLoad(), sometimes
giving not very helpful "headerRead failed: Header sanity check OK"
style messages.
|
|
- While we're on API killing spree... Exporting this was needless and
dumb to begin with (greetings to self in 2007...), bury it inside
depends.c as static and let rot there.
- Might be a better idea to kill it completely with some other
mechanism such as turning payload format into rpmlib() dependency
internally but just get it out of public sight for now.
|
|
- No need to export this in the API - if you want merged signature
tags you use rpm's package reading functions.
|
|
- This was only ever used by repackage support inside rpm and has been
orphan since 2008, likely more than just a little broken too as it
doesn't know about 64bit types and all. RIP.
|
|
- Now that rpmVerifySignature() doesn't require a non-null dig
for digests, don't bother allocating one unless necessary.
- pgpNewDig() cannot fail so dont bother checking.
|
|
- sigtd->data and dig checking (where needed) is done at
rpmVerifySignature() level, dont bother double-checking
- Hash context is dup'ed, which CAN fail, so while we dont need
to check the argument for non-null, the dup result needs to
be checked for digests. For actual signatures the dup happens
elsewhere, we dont need to check the argument for non-null here.
|
|
- Hash context is required for everything, require non-NULL ctx
in rpmVerifySignature() already
- pgpDig is only relevant for true signature, digest checking doesn't
need it - dont require dummy dig to be passed for digests.
- Treat unknown signatures as a case of bad parameters: we're the
only caller of rpmVerifySignature() so it'd be us screwing up if
we ask for unknown signature to be verified.
- Treat bad parameters as a hard failure instead of "not found",
bad parameters mean we cannot verify the signature which really
equals FAIL.
|
|
- headerVerify() is big enough without having all the signature
goo inline, just lift the whole signature/digest business into
separate function. Supposedly no functional changes...
|
|
- Assigning goo to temporary variables for calling rpmDigestUpdate()
doesn't make it any more readable, more the contrary. Also
don't bother with htonl() (calls that should've been ntohl()
for "correctness") when we have the data elsewhere in host order already.
|
|
- Jumping forwards is one thing, jumping backwards and forwards to an
exit label residing in the middle of a function is something else...
Refactor to single point of exit, at the end of the function.
- Handle the no header-only signature/digest case (whether disabled
or v3 package) and cleanup centrally at the exit label, everything
falls through there now.
|
|
- pgpNewDig() like most rpm "constructor" functions cannot fail,
no point checking the result. Allows an icky backwards goto + label
to be eliminated.
|
|
- No functional changes, just preparing to tidy up the headerVerify()
monster a bit.
|
|
|
|
- Region size can't obviously be larger than the containing header,
sanity check to avoid crashes from malformed packages.
- We should really test for length equality here, but with dribbles
the size is sometimes off by three, whatever the reason (bug likely),
leaving that investigation for some sunnier day...
|
|
- Fixes the first case crash of RhBug:741606 / CVE-2011-3378 where
immutable region offset is way out of bounds.
|
|
- Region offsets are supposed to be negative when when an entry
is involved, otherwise zero. Fixes some cases of crash'n'burn on
malformed headers having bogus offsets (CVE-2011-3378)
|
|
|
|
- This should've been in commit 6e2f56fe25a9ee62af51e0408861a8a43c97a709
all the way back then, unused ever since...
|
|
|
|
|
|
- Currently doesn't make any difference but since we actually
have a flags member in the struct, might as well use it. Also
we'll shortly be needing these during the actual execution too.
|
|
- No functional changes (and this is still internal-only API),
just making more obvious what they are and clearing the
RPMSCRIPT_FOO namespace for possible future use for the scriptlet
types themselves.
|
|
- While the vast majority of scriptlet interpreters only consist
of the interpreter name itself, they all can consist of arbitrary
number of extra arguments. Rpm itself doesn't really care whether
the tags are strings or string arrays but the scalar definition
causes the rest of arguments to be invisible from eg python.
Also having the type shown as string array hints at the proper
query format when accessing these (and rpm itself is doing it
wrong too in --scripts alias). Related to ticket #847.
|
|
- The current method that --requires and friends use is kinda
cumbersome and outputs extra whitespace for dependencies which
dont have flags+version attached. Adding extensions for this
is likely to be easier than teaching query formatting to
permit conditionalizing on current value instead of just tag existence.
|
|
- Add accessor for fetching the script tag, the final piece that
psm needs (and will continue to do so) from script internals.
This allows the script type to become opaque for real.
|
|
- Bury rpmScriptNew() into being internal helper in rpmscript -
triggers and other scripts differ quite a bit in how their data
is laid out in the header, especially args need "special attention".
- Besides cleaning up things in the psm side, this technically makes
trigger scripts runnable without having a header at hand. Of course
currently trigger scripts are currently created and destroyed
on the spot from headers so this is of academic interest...
|
|
- Add a lower level script creation function to deal with the
body expansions and such, use it for triggers as well.
- This is still fairly ugly but its something that can be reasonably
backported to 4.9.x which needs this too, as currently triggers
are forgetting to set script->descr, causing "(null) failure" messages
on glibc and on others, in would just crash on trigger failure
and/or in debug verbosity level.
|
|
- Similarly to commit 40ee8e7427ace319687dd36bd5f745d1ef2f2236,
take --noconfigs into account for the virtual config() provides too
|
|
- Files which dont get installed cannot very well satisfy dependencies,
take this into account for docs and configs when --nodocs & --noconfigs
flags are used.
|
|
- No functional changes here, but we'll need to know some of these
bits for accurately calculating various dependency bits later on.
|
|
|
|
- Non-installed files cannot very well have dependencies, this
eliminates some bogosities from those cases.
|
|
- For a more consistent experience wrt all the state-awareness stuff,
this needs to be easily querifiable too.
- Also makes the tagnames kludgery from commit
cac8c389607d7a5735b2905035fdfe4404670d06 unnecessary
|
|
|
