A potential buffer overflow could occur if a detected terminal escape
sequence was not for a terminal colour (i.e. did not contain an "m").
Fix the potential buffer overflow while explicitly detecting only
terminal colour escape sequences. Any other escape sequence is
unexpected, and just gets pushed to the terminal.
Signed-off-by: Allan McRae <allan@archlinux.org>
I'm not sure why this was originally included, but it has now become
a problem with multiple processes updating the keyring (e.g. the
systemd timer for WKD updates from Arch Linux).
Signed-off-by: Allan McRae <allan@archlinux.org>
Adding more and more languages will make the man page become increasingly
difficult to navigate. Move documentation into the configuration file
where variables are defined.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bailing early caused problems with makepkg failing on verify but expired
signatures. As this is often out of the packagers control, and it is
better to verify a signature than not, we try bailing as late as possible
and let makepkg warn about the expired signature.
Signed-off-by: Allan McRae <allan@archlinux.org>
The previous chroot-based sysroot often broke due to glibc's delayed
loading for much of its functionality when the sysroot did not contain
compatible copies of the necessary libraries.
This approach instead manually prepends the sysroot to all configuration
paths.
BREAKING CHANGE: targets to -U are no longer interpreted relative to
sysroot
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Guile 2.2 uses ELF format for its byte-compiled files. These are not
normal executables, and are not strippable in the normal sense.
Given these are ELF files and detected by "file" as non-stripped binaries,
it is only possible to skip these using the file path.
Fixes#73
Signed-off-by: Allan McRae <allan@archlinux.org>
Also include a section encouraging discussion of large changes as there have
been a number of case of rejected features being reinvented.
Fixes#34
Signed-off-by: Allan McRae <allan@archlinux.org>
We have added more options to makepkg, but adding them to the man
page entry would result in line wrapping on a standard width
terminal. Instead, trucate and add ellipsis to indicate more
members (as described in the section below).
Fixes#91
Signed-off-by: Allan McRae <allan@archlinux.org>
atio's behaviour is undefined if the input is not valid. Also it does
all sorts of whitespace and prefix handling which we don't need for
pkgreason.
Instead of going into UB on invalid input we now return EXPLICIT as the
fallback and print an error. However we don't actually error out as the
DB parsing tries to be error tolerant.
Signed-off-by: Allan McRae <allan@archlinux.org>
alpm has certain requirements for package metadata necessary for proper
functioning, name and version in particular. These requirements are
already enforced in makepkg, but nowhere in alpm.
Exceptions are treated as errors for non-local packages because they
cannot be installed without potentially resulting in undefined behavior.
Exceptions for local packages are treated as warnings because they are
already installed, so any damage has already been done, and the user
would otherwise have no way to uninstall them.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The error path uconditinally tries to free the archive, leading to a
double-free segmentation fault if the error path is triggered after
already freeing it.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The free function was checking DB_STATUS_PKGCACHE, which is only set
once the package cache has been fully built.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
To ensure we are not dropping the return code of the `gpg` call due to
piping into `grep`, we make use of `PIPESTATUS` to check the return code
of each command separately.
Additionally, we can now distinguish between two states: The signature
does not verify (e.g. due to technical reasons) and the signature is
not trusted.
Signed-off-by: David Runge <dvzrv@archlinux.org>
Move the check for the `NEWSIG` metadata keyword contained in the
GnuPG based statusfile to `parse_gpg_statusfile()` so that it is also
run when creating the statusfile in `verify_file_signature()` and not
only when running `verify_git_signature()`.
Signed-off-by: David Runge <dvzrv@archlinux.org>
The output of
`gpg --quiet --batch --status-fd /dev/stdout --verify <signature_file> <file> 2> /dev/null`
or
`git verify-commit --raw <commit> 2>&1`
may contain binary data, if the signature has been created with an
OpenPGP implementation, that e.g. makes use of notations.
If the notation string (see `NOTATION_DATA` in /usr/share/doc/gnupg/
DETAILS) contains a trailing binary char, this will break signature
verification, as any following entry (e.g. `VALIDSIG`) will be offset.
As we are only making use of a narrow set of terms from the statusfile
(namely `NEWSIG`, `GOODSIG`, `EXPSIG`, `EXPKEYSIG`, `REVKEYSIG`,
`BADSIG`, `ERRSIG`, `VALIDSIG`, `TRUST_UNDEFINED`, `TRUST_NEVER`,
`TRUST_MARGINAL`, `TRUST_FULLY`, `TRUST_ULTIMATE`), we are applying a
filter, so that only understood terms are written to the file.
Signed-off-by: David Runge <dvzrv@archlinux.org>
Emit an early error message if tag or commit verification with git or
detached signature verification with gpg fails.
Make `verify_file_signature()` and `verify_git_signature()` return
non-zero in this case and set errors to `1`, so that later checks
in `check_pgpsigs()`, although still run, can not lead to a positive
result.
Signed-off-by: David Runge <dvzrv@archlinux.org>
In the very unlikely situtation where getmntent() and friends return
non-null, but the mount directory is NULL, a null dereference could
occur. It is unclear what the best course of action is in this case,
so just move on to the next mount point.
Signed-off-by: Allan McRae <allan@archlinux.org>
If a path length exceeds the PATH_MAX value, then it gets truncated
when building the path of the file to delete. This could (in a very
unlikely case...) result in the wrong file being deleted. Check the
path fittedin the buffer before removing files.
Signed-off-by: Allan McRae <allan@archlinux.org>
The length_check function could underflow if the provided buffer index
is greater than the signature buffer length, leading to an out of
bounds read.
Signed-off-by: Allan McRae <allan@archlinux.org>
These are the only log messages produced by pacman that include an
embedded newline, and it looks very incongruous in a typical pacman.log.
Signed-off-by: Allan McRae <allan@archlinux.org>
Move the checks for software and gpg signing ability to after the
fakeroot section so that it is only executed once. This also fixes
gpg (lack of) interaction under fakeroot.
Fixes#69
Signed-off-by: Allan McRae <allan@archlinux.org>
The primary purpose of this is to allow cleanup of file descriptors
allocated by curl that were left open in the child. I am not aware of
any issues caused by the open file descriptors, but think it better to
not leave random open fd's lying around.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Freeing handle resources was previously split awkwardly between
_alpm_handle_free and alpm_release. This consolidates the freeing of
all in-memory resources to _alpm_handle_free, leaving alpm_release as a
thin wrapper that provides safety checks and frees any external
resources, e.g. removing lock files.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
.a files are not valid ELF files so we can't run objcopy nor debugedit
on them.
Rename STRIPLTO to STATICLIB to be more descriptive.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Some projects might duplicate the file in multiple locations for one
reason or another. When debug packages are enabled, `makepkg` will only
strip the first occurrence of the binary and abort early on all the
other binaries.
Signed-off-by: Morten Linderud <morten@linderud.pw>
