Last commit made on 2020-05-14
Get this branch:
git clone -b debian/jessie https://git.launchpad.net/apt

Branch merges

Branch information


Recent commits

55b8a7a... by Julian Andres Klode

test-github-111-invalid-armember: Rewrite to handle gzip SIGPIPE


31d0f77... by Julian Andres Klode

Run tests with ulimit -n 64 and add .gitlab-ci.yml for CI

a06a45b... by Julian Andres Klode


70be0fd... by Julian Andres Klode

fixup test for jessie

c26cef8... by Julian Andres Klode

SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810)

When normalizing ar member names by removing trailing whitespace
and slashes, an out-out-bound read can be caused if the ar member
name consists only of such characters, because the code did not
stop at 0, but would wrap around and continue reading from the
stack, without any limit.

Add a check to abort if we reached the first character in the
name, effectively rejecting the use of names consisting just
of slashes and spaces.

Furthermore, certain error cases in arfile.cc and extracttar.cc have
included member names in the output that were not checked at all and
might hence not be nul terminated, leading to further out of bound reads.

Fixes Debian/apt#111
LP: #1878177

ca28c54... by Julian Andres Klode


7deeaff... by Julian Andres Klode

SECURITY UPDATE: content injection in http method (CVE-2019-3462)

This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:

(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
    \n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
    sending them out), writting something like
    into its output
(3) apt then uses the headers injected for validation purposes.

Our test webserver does not support the necessary bits in this version that
we used in newer versions, so no testing script is provided.

Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353

ff4cf25... by Julian Andres Klode

Release security update

538b04f... by Julian Andres Klode

SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)

This fixes a security issue where signatures of the
InRelease files could be circumvented in a man-in-the-middle
attack, giving attackers the ability to serve any packages
they want to a system, in turn giving them root access.

It turns out that getline() may not only return EINVAL
as stated in the documentation - it might also return
in case of an error when allocating memory.

This fix not only adds a check that reading worked
correctly, it also implicitly checks that all writes
worked by reporting any other error that occurred inside
the loop and was logged by apt.

Affected: >= 0.9.8
Reported-By: Jann Horn <email address hidden>
Thanks: Jann Horn, Google Project Zero for reporting the issue
LP: #1647467
(cherry picked from commit 51be550c5c38a2e1ddfc2af50a9fab73ccf78026)
(cherry picked from commit 4ef9e0837ce139b398299431ae2294882f531d8e)
(cherry picked from commit 0bbbabb1b961b3b6541e7fdc8061fe6f282eafad)

66b6878... by Julian Andres Klode