Last commit made on 2020-05-14
Get this branch:
git clone -b 1.4.y https://git.launchpad.net/apt

Branch merges

Branch information


Recent commits

a8b1e17... by Julian Andres Klode

Fix location of testdeb in added regression tests

7a0f00e... by Julian Andres Klode

Release 1.4.10

e3c86e9... by Julian Andres Klode

SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810)

When normalizing ar member names by removing trailing whitespace
and slashes, an out-out-bound read can be caused if the ar member
name consists only of such characters, because the code did not
stop at 0, but would wrap around and continue reading from the
stack, without any limit.

Add a check to abort if we reached the first character in the
name, effectively rejecting the use of names consisting just
of slashes and spaces.

Furthermore, certain error cases in arfile.cc and extracttar.cc have
included member names in the output that were not checked at all and
might hence not be nul terminated, leading to further out of bound reads.

Fixes Debian/apt#111
LP: #1878177

4f65e47... by Julian Andres Klode

Fix-up size in 1.4.9 security fix test case

It seems we ran the test with the wrong size.

1c5d0ef... by Julian Andres Klode

Add .gitlab-ci.yml for CI testing on Salsa

2f984e7... by Julian Andres Klode

Release 1.4.9

ba24501... by Julian Andres Klode

SECURITY UPDATE: content injection in http method (CVE-2019-3462)

This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:

(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
    \n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
    sending them out), writting something like
    into its output
(3) apt then uses the headers injected for validation purposes.

Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353

ac0d26d... by Julian Andres Klode

Release 1.4.8

e43fca3... by Julian Andres Klode

Fix translator comment location for legacy target warning

In commit Do not warn about duplicate "legacy" targets, we
we added an if, that changed the .po files...

(cherry picked from commit e9db5ba7c7631d51359967afb1d563da7637be11)

Gbp-Dch: ignore

3e63968... by Julian Andres Klode

apt-daily: Pull in network-online.target in service, not timer

There's no real point in pulling it in in the timer already,
and it it somewhat saver to do so in the service.

(cherry picked from commit 11417c1058e1b8441ee8f30f948e854b7a6ce89e)

LP: #1716973