| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- pgpLen() only works for new format packets, and even for those
its unsafe and cannot be fixed without breaking the API. Start
by taking it behind the barn for further, err, operations. Rpm has
no users outside rpmpgp.c now and anybody else using it will be
better off not doing so.
|
|
- Eliminate bogus size calculations: we have a buffer of td->count size
that may or may not contain legal OpenPGP signature. Leave it up to
pgpPrtPkts() to validate & figure it out and check its return code instead,
eliminating need to repeat a bunch of tedious calculations here.
- Use non-zero signature version is used as a hint for valid signature,
should be "close enough" for the rest of the code.
|
|
- Old format tags encode the number of body length bytes in the packet
header, new format encodes it in the first body length byte. In
both cases there must be at least two bytes worth of data for it
to be a valid header. Sanity check before accessing.
|
|
readlink() never terminates the buffer.
Detected by "cppcheck" (git HEAD)
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
|
|
- The error message is not very helpful but if pgpPrtPkts() fails
we dont have a whole lot clue in the caller why it failed, spitting
out at least *some* error is better than silently failing
(RhBug:748116, RhBug:719154)
|
|
- If a file/directory is not to be packaged, there's not a whole lot
point making the build fail if its missing. In case exclude is
used to leave certain files to sub-packages, the sub-package file
lists will catch out missing files that are really missing as a
result of actual build failure or such (except perhaps for some
glob cases but missing files can go unnoticed in those cases anyway)
|
|
- Assume failure, handle setting fl->processingFailed centrally at exit
(file too large wasn't resulting in processingFailed getting set)
|
|
- String array size calculation could read one byte past data end
pointer when expected count and number of \0's disagree (ie invalid data)
due to while condition side-effects + bounds checking being in
the inner loop.
- Lift the string length calculation to inline helper function, used for
both string and string array types.
- Streamline the calculations:
- Eliminate unnecessary length increments, calculate the length
from pointer distance
- Eliminate end pointer NULL checking within the loop: when caller
doesn't supply end pointer, cap to HEADER_MAX_DATA (ie 16MB),
anything larger would trip up in later hdrchkData() checks anyway.
- Avoid the off-by-one by eliminating the problematic inner loop.
|
|
- Offset being within the data area doesn't help if the actual data doesn't
fit. Since the trailer size is well known, we can just as easily
make the check accurate to prevent reading beyond end of data in case
the offset is subtly wrong.
- In headerLoad(), region offset of zero doesn't need sanity checking,
only validate if its something else and do so accurately there too.
|
|
- Since addition of file capability verification in rpm 4.7.x,
the verify output has nine characters, not eight (RhBug:746525)
|
|
- Pretrans-dependencies are twisty little beasts unlike anything else...
When a pretrans-dependency provider is updated, the currently installed
version is the provider for that transaction, unlike others where
the packages from installing set act as providers for updates. So
when looking up pretrans deps, we must not prune the to-be-erased
packages from the db match iterators. As an added twist, we also
must not cache these non-pruned cases as it would mess up the
cache for "regular" dependencies.
- Fixes this case reported on fedora-devel:
http://lists.fedoraproject.org/pipermail/devel/2011-October/158058.html
|
|
This commit sets a restrictive umask before calling mkstemp().
This is because the permissions of files created by mkstemp() are
not defined in POSIX. Old versions of glibc created files with
mode 0666 which can be a security hole. Because the behavior is
implementation-dependent, we set a umask.
|
|
|
|
|
|
- headerVerify() always returns with a message even for OK results,
which was masking the error message from headerLoad(), sometimes
giving not very helpful "headerRead failed: Header sanity check OK"
style messages.
|
|
- While we're on API killing spree... Exporting this was needless and
dumb to begin with (greetings to self in 2007...), bury it inside
depends.c as static and let rot there.
- Might be a better idea to kill it completely with some other
mechanism such as turning payload format into rpmlib() dependency
internally but just get it out of public sight for now.
|
|
- No need to export this in the API - if you want merged signature
tags you use rpm's package reading functions.
|
|
- This was only ever used by repackage support inside rpm and has been
orphan since 2008, likely more than just a little broken too as it
doesn't know about 64bit types and all. RIP.
|
|
- Now that rpmVerifySignature() doesn't require a non-null dig
for digests, don't bother allocating one unless necessary.
- pgpNewDig() cannot fail so dont bother checking.
|
|
- sigtd->data and dig checking (where needed) is done at
rpmVerifySignature() level, dont bother double-checking
- Hash context is dup'ed, which CAN fail, so while we dont need
to check the argument for non-null, the dup result needs to
be checked for digests. For actual signatures the dup happens
elsewhere, we dont need to check the argument for non-null here.
|
|
- Hash context is required for everything, require non-NULL ctx
in rpmVerifySignature() already
- pgpDig is only relevant for true signature, digest checking doesn't
need it - dont require dummy dig to be passed for digests.
- Treat unknown signatures as a case of bad parameters: we're the
only caller of rpmVerifySignature() so it'd be us screwing up if
we ask for unknown signature to be verified.
- Treat bad parameters as a hard failure instead of "not found",
bad parameters mean we cannot verify the signature which really
equals FAIL.
|
|
|
|
- Makes the self-provides accessible on spec parse queries, shouldn't
affect anything else.
|
|
- headerVerify() is big enough without having all the signature
goo inline, just lift the whole signature/digest business into
separate function. Supposedly no functional changes...
|
|
- Assigning goo to temporary variables for calling rpmDigestUpdate()
doesn't make it any more readable, more the contrary. Also
don't bother with htonl() (calls that should've been ntohl()
for "correctness") when we have the data elsewhere in host order already.
|
|
- Jumping forwards is one thing, jumping backwards and forwards to an
exit label residing in the middle of a function is something else...
Refactor to single point of exit, at the end of the function.
- Handle the no header-only signature/digest case (whether disabled
or v3 package) and cleanup centrally at the exit label, everything
falls through there now.
|
|
- pgpNewDig() like most rpm "constructor" functions cannot fail,
no point checking the result. Allows an icky backwards goto + label
to be eliminated.
|
|
- No functional changes, just preparing to tidy up the headerVerify()
monster a bit.
|
|
|
|
- Region size can't obviously be larger than the containing header,
sanity check to avoid crashes from malformed packages.
- We should really test for length equality here, but with dribbles
the size is sometimes off by three, whatever the reason (bug likely),
leaving that investigation for some sunnier day...
|
|
- Sub-packet prefix length + packet length can't very well be larger
than the remaining packet length. In addition to sanity checking,
return an error code and have callers actually check for it.
- Fixes (yet another) segfault on malformed package (RhBug:742499)
|
|
- Fixes the first case crash of RhBug:741606 / CVE-2011-3378 where
immutable region offset is way out of bounds.
|
|
- Region offsets are supposed to be negative when when an entry
is involved, otherwise zero. Fixes some cases of crash'n'burn on
malformed headers having bogus offsets (CVE-2011-3378)
|
|
|
|
|
|
- This should've been in commit 6e2f56fe25a9ee62af51e0408861a8a43c97a709
all the way back then, unused ever since...
|
|
|
|
|
|
|
|
|
|
- No functional changes, just avoid doing extra work for what popt
can already do for us.
|
|
- Currently doesn't make any difference but since we actually
have a flags member in the struct, might as well use it. Also
we'll shortly be needing these during the actual execution too.
|
|
- No functional changes (and this is still internal-only API),
just making more obvious what they are and clearing the
RPMSCRIPT_FOO namespace for possible future use for the scriptlet
types themselves.
|
|
- Previously any arguments to interpreter were invisible unless
you happened to know that RPMTAG_FOOPROG are actually string
arrays despite their type showing plain string, and queried
as arrays. This makes all the arguments for all scriptlets
supporting interpreter arguments visible on --scripts query
and also serves as an example on how to properly query them.i
- Perhaps worth noting is the exact formatting of the query:
"(using[ %{PRETRANSPROG}]" instead of the more typical style of
"(using [%{PRETRANSPROG} ]" to avoid extra trailing blanks.
|
|
|
|
- While the vast majority of scriptlet interpreters only consist
of the interpreter name itself, they all can consist of arbitrary
number of extra arguments. Rpm itself doesn't really care whether
the tags are strings or string arrays but the scalar definition
causes the rest of arguments to be invisible from eg python.
Also having the type shown as string array hints at the proper
query format when accessing these (and rpm itself is doing it
wrong too in --scripts alias). Related to ticket #847.
|
|
- Trigger scriptlets differ from other types in that additional
arguments to scriptlet interpreter are not supported due to the
way trigger data is stored in the header. Until now any extra
arguments have just been quietly discarded, make it an hard
error to avoid surprises.
|
|
|
|
- Makes the popt foobar somewhat saner and fixes RhBug:717534 and
RhBug:735801 while at it.
|
|
- The current method that --requires and friends use is kinda
cumbersome and outputs extra whitespace for dependencies which
dont have flags+version attached. Adding extensions for this
is likely to be easier than teaching query formatting to
permit conditionalizing on current value instead of just tag existence.
|
