atio's behaviour is undefined if the input is not valid. Also it does
all sorts of whitespace and prefix handling which we don't need for
pkgreason.
Instead of going into UB on invalid input we now return EXPLICIT as the
fallback and print an error. However we don't actually error out as the
DB parsing tries to be error tolerant.
Signed-off-by: Allan McRae <allan@archlinux.org>
alpm has certain requirements for package metadata necessary for proper
functioning, name and version in particular. These requirements are
already enforced in makepkg, but nowhere in alpm.
Exceptions are treated as errors for non-local packages because they
cannot be installed without potentially resulting in undefined behavior.
Exceptions for local packages are treated as warnings because they are
already installed, so any damage has already been done, and the user
would otherwise have no way to uninstall them.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The error path uconditinally tries to free the archive, leading to a
double-free segmentation fault if the error path is triggered after
already freeing it.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The free function was checking DB_STATUS_PKGCACHE, which is only set
once the package cache has been fully built.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
In the very unlikely situtation where getmntent() and friends return
non-null, but the mount directory is NULL, a null dereference could
occur. It is unclear what the best course of action is in this case,
so just move on to the next mount point.
Signed-off-by: Allan McRae <allan@archlinux.org>
The length_check function could underflow if the provided buffer index
is greater than the signature buffer length, leading to an out of
bounds read.
Signed-off-by: Allan McRae <allan@archlinux.org>
These are the only log messages produced by pacman that include an
embedded newline, and it looks very incongruous in a typical pacman.log.
Signed-off-by: Allan McRae <allan@archlinux.org>
The primary purpose of this is to allow cleanup of file descriptors
allocated by curl that were left open in the child. I am not aware of
any issues caused by the open file descriptors, but think it better to
not leave random open fd's lying around.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Freeing handle resources was previously split awkwardly between
_alpm_handle_free and alpm_release. This consolidates the freeing of
all in-memory resources to _alpm_handle_free, leaving alpm_release as a
thin wrapper that provides safety checks and frees any external
resources, e.g. removing lock files.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Cache servers differ from regular servers in that they do not produce
warnings and are not removed from the server pool for "soft errors"
(i.e. the server was reachable, but the download failed) and they are
not used for databases. If a host is used for both a cache server and a
regular server, it may still be removed from the server pool for soft
errors that occur when used as cache server and removal from the server
pool for soft errors will not affect future attempted use as a cache
server.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
chroot() requires CAP_SYS_CHROOT. If the caller has put us in the
right root directory already, don't call chroot(). This allows
running pacman in a containerized environment without CAP_SYS_CHROOT.
Some user had erros while updating their system.
:: Proceed with installation? [Y/n]
:: Retrieving packages...
checking keyring...
checking package integrity...
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
The issue was filecache_find returning null and alpm passing that null
path to check validity. How this happened I have no idea. It may be
something to do with the user's cachedir being a network drive.
Also warn when the file exists but it is not a regular file or can not
be opened.
When ever pacman prints a conflict, it now prints pkgname-version,
instead of just pkgname.
alpm_conflict_t now carries *alpm_pkg_ts instead of just the
names of each package.
Fixes FS#12536 (point 2)
We have not set handle in the function at this stage, so we can not
assign an error to it. Pass the handle to the function to avoid
waiting until the payload is retrieved.
Signed-off-by: Allan McRae <allan@archlinux.org>
Move closing of the file descriptor until the end of the function, as
any following error will lead to a "goto error" that attempts to close
it again.
Signed-off-by: Allan McRae <allan@archlinux.org>
This also prevents a use-after-free issue where we free the list we
are interating over and the do i->next.
Signed-off-by: Allan McRae <allan@archlinux.org>
The currently used openssl interfaces for calculating checksums have been
deprecated in openssl-3.0. Move to the modern interfaces to avoid build
warnings.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bash sources user configuration files under a number of conditions that
can cause issues with scripts when bash is used as the scriptlet shell.
Bash assumes it's being run under rsh/ssh if stdin is connected to a
socket and sources the user bashrc unless the environment variable
$SHLVL is >= 2. Commit 6a4c6a02de
switched from pipes to sockets when communicating with child processes
to work around SIGPIPE issues. Normally $SHLVL would be inherited from
the shell running pacman, but operations involving scriptlets are
generally run with sudo which does not let the $SHLVL variable through
unless specifically configured to.
Similarly $BASH_ENV can cause bash to source user-specified configuration
files if set.
https://lists.gnu.org/archive/html/help-bash/2022-02/msg00082.html
Note: the list discussion and bash source all reference SHLVL >= 2, this
is the SHLVL value *after* bash has incremented it on startup. Setting
it to 1 in pacman is sufficient to disable the unwanted behavior.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The last user of ABORT_SIGINT was removed in commit 84723cab5d
("Cleanup the old sequential download code"), and this isn't exported as
part of the public API.
Signed-off-by: Chris Down <chris@chrisdown.name>
Signed-off-by: Allan McRae <allan@archlinux.org>
This adds a mechanism for package builders to add arbitrary data to
packages that is not necessarily relevant enough to the package
installation process to gain first-class support in alpm. Currently
these fields have to be added to parsers with a "not actually used"
comment and can't be retrieved through the API.
Extended data is stored in "name=value" format in the xdata field
(%XDATA% in desc files):
xdata = pkgtype=debug
or
%XDATA%
pkgtype=debug
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
db and pkg store a pointer to the handle for internal use but don't
actually provide a way for a user to get it.
Making this accessible is more convenient for front ends and FFI
wrappers.
For example, in other languages it's common to return the error value
directly. To achieve this the python and rust wrappers also store their
own pointer to the handle inside their own pkg/db wrappers.
Exposing this would allow the wrappers to forgo the extra pointer and
just return `pkg.get_handle().last_error()`.
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:
Content-Disposition="";
will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.
Prevent this by only copying the value if it exists.
Fixes FS#73704.
Signed-off-by: Allan McRae <allan@archlinux.org>
In order to use WKD in pacman -U/--upgrade operations, we need to
get the packager information from the .PKGINFO within the package.
That has obvious security implications. e.g. something like this
could convince a user to download a different key to what they
expect:
packager = foo bar <>^[[2K^[[0G:: Import PGP key DEADBEEF, "foo <bar>
While downloading an untrusted key has little impact due to the
web-of-trust model used by pacman, this could be bad in combination
with an exploit that allowed trust of keys in the keyring to be
altered.
To be safe, do not use WKD when installing using -U.
Fixes FS#73703.
Signed-off-by: Allan McRae <allan@archlinux.org>
Avoid a segfault when a search of the keyserver returns that the
key is found but returns no primary IDs. We are then likely going
to fail the import, but attempt anyway because no-one know what
a keyserver will do!
Fixes FS#73534.
Signed-off-by: Allan McRae <allan@archlinux.org>
Looking up a key using WKD just ensures you have a key with the
same email address, it does not ensure that a key with the correct
fingerprint has been downloaded.
Check a key with the relevant fingerprint is available after a
WKD import.
This implements pkgtype into .PKGINFO. This is useful to ensure tools
parsing packages do not miss important context on the creation of the
package.
For instance discovering if a given .pkg.tar is a debug package, one
would have to do heuristics on the pkgdesc and "${pkgbase}-debug".
However both of these values are controlled by the packager.
Similarly, the heuristic for discovering split packages is if pkgbase
and pkgname differ, which can happen in any package as both values are
packager controlled.
This should ensure we don't need to rely on heuristics and instead
include the context of how the package was created.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
