It looks like this function has never actually worked. The current list
is never set to NULL after being freed. So the new deps were just
appended to the already freed list, leading to a segfault.
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit 0a25548cd0)
Commit e6a6d307 detected complete part files by comparing a payload's
max_size to initial_size. However, these values are also equal when we
use pacman -U on a URL as max_size is set to 0 in that case. Add a further
condition to avoid that.
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit e54617c7d5)
We previously has the maximum database size as 25MB. This was set in the days
before repos had as many packages as they do now, and before we started
distributing files databases. Increase this limit to 128MB.
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit 2856a7dea3)
In rare cases, likely due to a well timed Ctrl+C, but possibly due to a
broken mirror, a ".part" file may have size at least that of the correct
package size.
When encountering this issue, currently pacman fails in different ways
depending on where the package falls in the list to download. If last,
"wrong or NULL argument passed" error is reported, or a "invalid or
corrupt package" issue if not.
Capture these .part files, and remove the extension. This lets pacman
either use the package if valid, or offer to remove it if it fails checksum
or signature verification.
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit e6a6d30793)
We now store key structs of our missing key info, so can not search the list
for string matches. This caused missing keys to be downloaded once for every
package they signed.
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit 540b19164b)
This allows pacman to print the correct error message when checking keys
and libalpm has been compiled without gpgme support.
Signed-off-by: Allan McRae <allan@archlinux.org>
The dummy checksigs function never sets count to 0, leaving it
unitialized. This caused the siglist cleanup to try and free the empty
list.
Signed-off-by: Allan McRae <allan@archlinux.org>
With unknown uid pacman crashed. Return with error from email_from_uid()
if uid is NULL.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
when a satisfying package is already installed, we always pick it
instead of prompting the user. So we can return that package as soon as
we find it, instead of waiting until we've iterated through all the
databases.
Signed-off-by: Allan McRae <allan@archlinux.org>
If we failed to get the pkg from pkgcache then we know no satisfying
package exists by name. So only compare provides.
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently pacman relies on the SKS keyserver network to fetch unknown
PGP keys. These keyservers are vulnerable to signature spamming attacks,
potentionally making it impossible to import the required keys. An
alternative to keyservers is a so-called Web Key Directory (WKD), a
well-known, trusted location on a server from where the keys can be
fetched.
This commit adds the ability to retrieve keys from a WKD. Due to the
mentioned vulnerabilities, the WKD is tried first, falling back to the
keyservers only if no appropriate key is found there.
In contrast to keyservers, keys in a WKD are not looked up using their
fingerprint, but by email address. Since the email address of the
signing key is usually not included in the signature, we will use the
packager email address to perform the lookup.
Also see FS#63171.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Ask the user whether they want to import a missing key before even doing
a search on the keyserver. This will be useful for getting Web Key
Directory support in place: for a WKD, looking up and importing a key
are a single action, so the current key_search -> QUESTION -> key_import
workflow does not apply.
Since only the ID of the package signing key is available before
key_search, we display the packager variable in addition to the key ID
for user convenience.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Downloads with a Content-Disposition header will typically not include
slashes. When they do, we should most certainly only take the basename,
but when they don't, we should treat the header value as the filename.
Crash introduced in d197d8ab82 when we started using get_filename
in order to rightfully avoid an arbitrary file overwrite vulnerability.
Signed-off-by: Allan McRae <allan@archlinux.org>
If we use make dist to create the official, signed release tarballs,
those will not have meson build files by default since autotools doesn't
know what they are.
Also distribute all src/common/ files. We never strictly needed any of
them to be distributed with autotools, because the dist tarball
dereferences the symlinks (???), but only some of them were being
distributed, and meson needs them to be in the right location as we only
build libcommon from the primary files.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently when caling alpm_trans_commit, if fetching a package restults
in a 404 (or other non 400 response code), the function returns -1 but
errno is never set.
This patch sets errno to ALPM_ERR_RETRIEVE.
Signed-off-by: Allan McRae <allan@archlinux.org>
%X is locale-dependent, making it impossible to reliably parse and
potentially overflowing the buffer. %T is consistent across locales.
Also fixes some adjacent whitespace.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Make it clearer that the targets are matched against both directories
and regular files and free up File to potentially refer specifically to
regular files in the future. File is retained as a deprecated alias for
Path for the time being to avoid breaking existing hooks and will be
removed in a future release.
See FS#53136.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Clang 8 warns that adding a string to an integer does not append to
string. Indeed it doesn't, but that was not the intentetion. Use array
indexing as suggested by the compiler to silence the warning. There
should be no functional change.
Example of warning message:
alpm.c:71:54: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(hookdir, "%s%s", myhandle->root, SYSHOOKDIR + 1);
~~~~~~~~~~~^~~
alpm.c:71:54: note: use array indexing to silence this warning
sprintf(hookdir, "%s%s", myhandle->root, SYSHOOKDIR + 1);
^
& [ ]
1 warning generated.
gpgme in git master now supports pkg-config and with the next release we
can and should prefer its use. However, retain the legacy code that
enables building with older versions of gpgme, as a fallback.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
The time logged is currently given as localtime without any timezone
information. This is confusing in various scenarios.
Examples:
* If one is travelling across time-zones and the timestamps in the log
appear out of order.
* Comparing dates with `datediff` gives an offset by the time-zone
This patch would reformat the time-stamp to a full ISO-8601 version.
It includes the 'T' separating date and time including seconds.
Old: [2019-03-04 16:15]
New: [2019-03-04T16:15:45-05:00]
Signed-off-by: Florian Wehner <florian@whnr.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
When installing a remote package with "pacman -U <url>", pacman renames
the downloaded package file to match the name given in the
Content-Disposition header. However, pacman does not sanitize this name,
which may contain slashes, before calling rename(). A malicious server (or
a network MitM if downloading over HTTP) can send a content-disposition
header to make pacman place the file anywhere in the filesystem,
potentially leading to arbitrary root code execution. Notably, this
bypasses pacman's package signature checking.
For example, a malicious package-hosting server (or a network
man-in-the-middle, if downloading over HTTP) could serve the following
header:
Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook
and pacman would move the downloaded file to
/usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would
later fail, unable to find the downloaded package in the cache directory,
but the hook file would remain in place. The commands in the malicious
hook would then be run (as root) the next time any package is installed.
Discovered-by: Adam Suhl <asuhl@mit.edu>
Signed-off-by: Allan McRae <allan@archlinux.org>
If a mirror responds with a 301 redirect to itself, it will create an
infinite redirect loop. This will cause pacman to hang, unresponsive to
even a SIGINT. The result is pacman being unable to sync or
download any package from a particular repo if its current mirror
is stuck in a redirect loop. Setting libcurl's MAXREDIRS option
effectively prevents a redirect loop from hanging the process.
Signed-off-by: Mark Ulrich <mark.ulrich.86@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
The behaviour of "pacman -Qu" was very strange... It would only consider
packages from repos with Usage = Search (or All), and ignore those with
Usage = Sync, Install or Upgrade.
This is because the function alpm_sync_newversion() used ALPM_DB_USAGE_SEARCH
for its filtering. Given this function is documented (at least in the source)
to "Check for new version of pkg in sync repos", I would expect that to look at
all repos. However, just changing this parameter, would result in a fairly
silent change in behaviour of this function. Instead, rename the function
and remove this filtering altogether. Users of this function can filter
the dbs passed to this function to achieve their desired output.
Signed-off-by: Allan McRae <allan@archlinux.org>
The alignment was not overly helpful and caused unnecessary churn when a new
value with longer name was added.
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit 0994893b0e added the
alpm_pkg_get_{make,check}depends functions but forgot to include
logic for parsing these fields from the database. As a result these
functions will always return an empty list.
This commit adds the parsing logic.
Signed-off-by: morganamilo <morganamilo@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
While at it and for consistency move the assignment of the variable
'local' into the subsequent conditional.
Signed-off-by: Michael Straube <michael.straube@posteo.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
sync:
As pointed out by Andrew Gregory there could be an error when adding
duplicates if they are two separate packages with the same name. Add a
check in alpm_add_pkg() to test whether the duplicate is actually the
same package, and if so, log a debug message and return success to skip
the package. If the duplicate is a different package return
ALPM_ERR_TRANS_DUP_TARGET and treat that error just like any other error
in pacman.
remove:
Change alpm_remove_pkg() to just log a debug message and return success
to skip duplicates. Remove the handling of ALPM_ERR_TRANS_DUP_TARGET in
pacman.
Also fixes FS#49377.
Suggested-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Michael Straube <michael.straube@posteo.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit 2ee7a8d89a replaced a manual check
for a local package with a check for the "oldpkg" member, which gets set
at the beginning of the transaction. If the package was also in the
remove list, such as when a package gets replaced, it would no longer be
in the local db and pacman would try to remove it twice, resulting in
superfluous error messages.
Fixes: FS#50875, FS#55534
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
ALPM_SIG_USE_DEFAULT does not refer to an actual siglevel, rather it
indicates that the global default should be used in place of the
operation-specific one. Setting this value for the global default
itself makes no sense.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
An empty siglevel does not do any signature verification which is
exactly what we want when compiled without gpg support. This is already
allowed in other parts of the codebase and required for the test suite
to pass when compiled without gpg support.
Fixes: FS#60880
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
"wrong or NULL argument passed" is a useless error for end users.
Fixes FS#60880.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Provide both build systems in parallel for now, to ensure that we work
out all the differences between the two. Some time from now, we'll give
up on autotools.
Meson tends to be faster and probably easier to read/maintain. On my
machine, the full meson configure+build+install takes a little under
half as long as a similar autotools-based invocation.
Building with meson is a two step process. First, configure the build:
meson build
Then, compile the project:
ninja -C build
There's some mild differences in functionality between meson and
autotools. specifically:
1) No singular update-po target. meson only generates individual
update-po targets for each textdomain (of which we have 3). To make
this easier, there's a build-aux/update-po script which finds all
update-po targets and runs them.
2) No 'make dist' equivalent. Just run 'git archive' to generate a
suitable tarball for distribution.
If poll() is interrupted by a signal, alpm was closing the socket it
uses for listening to script/hook output. This would drop script output
at the least and kill the script at the worst.
Fixes FS#60396
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Front-ends or libraries may set signals to be ignored, which gets
inherited across fork and exec. This can cause scripts to malfunction
if they expect the signal. To make matters worse, scripts written in
bash can't reset signals that were ignored when bash was started.
Fixes FS#56756
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
When --needed is used, up to date packages are now filtered out
before showing the group select.
Fixes FS#22870.
Signed-off-by: morganamilo <morganamilo@gmail.com>
