Skip to content
Snippets Groups Projects
  1. Mar 07, 2019
  2. Mar 01, 2019
    • Andrew Gregory's avatar
      Sanitize file name received from Content-Disposition header · d197d8ab
      Andrew Gregory authored and Allan McRae's avatar Allan McRae committed
      
      When installing a remote package with "pacman -U <url>", pacman renames
      the downloaded package file to match the name given in the
      Content-Disposition header. However, pacman does not sanitize this name,
      which may contain slashes, before calling rename(). A malicious server (or
      a network MitM if downloading over HTTP) can send a content-disposition
      header to make pacman place the file anywhere in the filesystem,
      potentially leading to arbitrary root code execution. Notably, this
      bypasses pacman's package signature checking.
      
      For example, a malicious package-hosting server (or a network
      man-in-the-middle, if downloading over HTTP) could serve the following
      header:
      
      Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook
      
      and pacman would move the downloaded file to
      /usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would
      later fail, unable to find the downloaded package in the cache directory,
      but the hook file would remain in place. The commands in the malicious
      hook would then be run (as root) the next time any package is installed.
      
      Discovered-by: default avatarAdam Suhl <asuhl@mit.edu>
      Signed-off-by: default avatarAllan McRae <allan@archlinux.org>
      d197d8ab
  3. Feb 21, 2019
  4. Feb 12, 2019
    • Eli Schwartz's avatar
      build: link vercmp with a static copy of libalpm · 477a66cd
      Eli Schwartz authored and Allan McRae's avatar Allan McRae committed
      
      This has historically been the case in autotools since we want vercmp to
      not break mid-transaction in an install script.
      
      For convenience, we create libalpm.a and use this to optionally generate
      libalpm.so (when not configured with -Dbuildstatic=true) as well as to
      link any binary which explicitly wishes to be built statically "with
      libalpm", but does not care where a function is defined. meson then
      treats this correctly: it builds the object file only once for both
      libraries, and the compiler strips out unused functionality from the
      final static binary.
      
      Currently the only binary which requires this is vercmp.
      
      Fixes FS#61719
      
      Signed-off-by: default avatarEli Schwartz <eschwartz@archlinux.org>
      Signed-off-by: default avatarAllan McRae <allan@archlinux.org>
      477a66cd
    • Allan McRae's avatar
      Add implicit fall through warning · 86004227
      Allan McRae authored
      
      Requires modification to our comment about fall through to match compilers
      expectations.  Works for GCC and Clang.
      
      Signed-off-by: default avatarAllan McRae <allan@archlinux.org>
      86004227
  5. Feb 06, 2019
  6. Feb 04, 2019
  7. Jan 31, 2019
  8. Jan 30, 2019
    • Allan McRae's avatar
      makepkg: use --unneeded for pacman call in remove_deps() · 6cf05481
      Allan McRae authored
      
      This patch was inspired by FS#32723 which asks makepkg to install makedepends
      before depends.  The use case is to build a package depending on a virtual
      package that is only provided by other packages (e.g. java-runtime in Arch
      Linux), but wanting to build against a specific version.  Installing makedepends
      first (but not at the same time as depends) would allow specifying the version
      to build against, instead of pacman resolving to the default version when
      installing depends.
      
      It turns out, we can already achieve installing makedepends first by specifying
      dependencies only in the package function (and making sure makedepends includes
      everything needed). The only issue is that if we use makepkg to install the
      built package with the --install flag and along with the --rmdeps flag, we will
      try to remove any installed dependencies that are specified in the depends
      array in the package function.  To counter this, we need to use the --unneeded
      flag for the pacman call.
      
      Signed-off-by: default avatarAllan McRae <allan@archlinux.org>
      6cf05481
    • Chloe Kudryavtsev's avatar
      libmakepkg: Add lzip ext support · 776fbe1c
      Chloe Kudryavtsev authored and Allan McRae's avatar Allan McRae committed
      
      lzip is a lossless data compressor designed to replace gzip and bzip2 as
      the standard general-purpose compressed format.
      - add .lz (lzip) support to libmakepkg/util/compress.sh:compress_as
      - add COMPRESSLZ to makepkg.conf.in
      - document COMPRESSLZ
      - document PKGEXT with `.tar.lz`
      
      Signed-off-by: default avatarChloe Kudryavtsev <toast@toastin.space>
      Signed-off-by: default avatarAllan McRae <allan@archlinux.org>
      776fbe1c
  9. Jan 22, 2019
  10. Jan 21, 2019
  11. Jan 16, 2019
  12. Jan 14, 2019
  13. Jan 10, 2019
Loading