Removing lock-never from the default gpg.conf file exposed a couple of bugs
in the permission checks in pacman-key.
Signed-off-by: Allan McRae <allan@archlinux.org>
A filelist can be non-NULL but empty (particularly with a lot of
NoExtract entries). Handle this in alpm_filelist_contains()
Identified using the undefined behaviour sanitizer.
Signed-off-by: Allan McRae <allan@archlinux.org>
Filling in more of the payload fields before passing to the downloader ensures
that the these fields do not get lost during sandboxed operations.
It also fixes the use of -U with XferCommand, but testsuite still fails due to
"404" page being downloaded for the signature. Given we can not identify this
as being a non-signature download with the XferCommand, we can just turn off
signature checking in this test.
Signed-off-by: Allan McRae <allan@archlinux.org>
If the SandboxUser configure option is set, the internal downloader
will fork of a child process and drop to the specified user to download
the files.
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Add log and download callbacks to use within a sandbox. These are
designed to be passed from the sandbox to the parent through a file
descriptor and then processed into alpm callbacks to be passed to the
frontend.
Note, only callbacks used in libalpm are added. Other callbacks should
be set to NULL in the child process.
Add alpm_sandbox_child() function that will be used for switching to a
less priviledged user to run child processes.
Signed-off-by: Allan McRae <allan@archlinux.org>
The DownloadUser option will be used to drop privledges to the
specified user when downloading files.
The intention is for this to be extended in the future to a more
general sandbox configuration to cover operating on package and
database files prior to verification.
Add this option to pacman configuration and the various accessors into
the libalpm backend.
Signed-off-by: Allan McRae <allan@archlinux.org>
Previously, the for loops on lines 1035 and 1037 would advance to the
next element in the server list, even if downloading the URL succeeded.
If there are no more servers in the list, `s` would be NULL, causing
a NULL pointer dereference on line 1046. If there were servers left
in the list, the signature would be downloaded from a wrong URL.
1. Fetching of database signatures is enabled.
2. There is only one enabled remote repository URL, or fetching from
all but the last one fails and fetching from the last one succeeds.
3. An XferCommand is used.
Qubes OS Arch templates satisfy all of these conditions and trigger the bug.
We were indirectly adjusting a pointer to a parameter that was declared
as a const. This resulted in a use-after-free when using --debug:
[11:09:18] debug: config: finished parsing ��A�8_
Signed-off-by: Allan McRae <allan@archlinux.org>
The bug tracker had been updated in doc/index.asciidoc, but the one in
doc/footer.asciidoc was still the old one, which is a deadlink now.
I udpated it just by copying the sentense in doc/index.asciidoc
Signed-off-by: Dale young <daleyoung4242@gmail.com>
We only really need debugedit while building the package, while this
check would run if you tried something like `makepkg --verifysource`.
Use the same checks as we have for fakeroot to wrap debugedit so we
don't beg for dependencies we don't need.
Fixes: 3ed08f97ec
Signed-off-by: Morten Linderud <morten@linderud.pw>
Not actually a fix, as the pacman output will still be weird and
we will not gracefully exit, but it does print an error message...
Signed-off-by: Allan McRae <allan@archlinux.org>
The current code treats -k/--key as a binary option which later makes it
fail parsing the argument as then the end of arguments '--' is treated
as the GPGKEY. We fix this by adding the appropriate specifier to the
long and shortopt.
Closes https://gitlab.archlinux.org/pacman/pacman/-/issues/105
Fixes: 4f43ce3e ("repo-add: use parseopts from libmakepkg")
Signed-off-by: Christian Heusel <christian@heusel.eu>
The third parameter to wcstombs() is the length of the output buffer
(first parameter) in bytes. Take the correct sizeof() here.
This is not a problem in practice, but prevents _FORTIFY_SOURCE=3 from
detecting a possible output buffer overflow (as the source buffer is
bigger than the destination).
Fixes#104.
Signed-off-by: Ivan Shapovalov <intelfx@intelfx.name>
Setting sysroot to / is not the same as having no sysroot, because the
sysroot is prepended to ALL config paths including relative ones:
$ cd /etc
$ pacman --config=pacman.conf
error: config file /pacman.conf could not be read: No such file or directory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
We use an extended glob here, but were relying on having it globally set
in makepkg. This causes it to fail when used in scripts.
Since scripts using libmakepkg may not want extglob to be set, save and
restore the environment while explicitly setting extglob only where we
need it.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
In pacman's progress callback, pkgname being null may result in a
segfault, due to undefined printf behaviour. libalpm always passes
at least an empty string for pkgname, so this situation is largely
avoided.
However, the callback mostly checked for pkgname's being non-null
and not empty. This means a additional space was being added to
the output messages (although with zero actual effect on the output).
Be a bit more robust here by treating null and empty pkgname the
same and fixing the invisible output issue...
Signed-off-by: Allan McRae <allan@archlinux.org>
A potential buffer overflow could occur if a detected terminal escape
sequence was not for a terminal colour (i.e. did not contain an "m").
Fix the potential buffer overflow while explicitly detecting only
terminal colour escape sequences. Any other escape sequence is
unexpected, and just gets pushed to the terminal.
Signed-off-by: Allan McRae <allan@archlinux.org>
I'm not sure why this was originally included, but it has now become
a problem with multiple processes updating the keyring (e.g. the
systemd timer for WKD updates from Arch Linux).
Signed-off-by: Allan McRae <allan@archlinux.org>
