emo/xbps
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
xbps/lib
History
Michael Gehring 4aae026615 lib/package_unpack.c: verify signed pkgver matches 
$ARCH-repodata is currently not protected by a signature. While most of
the package metadata is also embedded into the .xbps files, which are
protected by a signature, xbps-install ignores it
(1670ff000d/lib/package_unpack.c (L123))
and relies entirely on $ARCH-repodata.

This enables anyone who is able to modify the $ARCH-repodata to
substitute packages. This patch adds a check that verifies the signed
pkgver matches the one in the repodata, so at least downgrades posing as
updates are detected.

This is an incomplete fix as the whole transaction is still set up with
the unsigned repodata and other issues surely exist. The real fix is
signing $ARCH-repodata.
2017-07-09 12:46:01 +00:00
..
compat
lib/compat/vasprintf.c: make this build and fix sign-compare warnings.
2013-02-02 01:31:20 +01:00
external
libxbps: use xbps_strlc{at,py} everywhere.
2016-04-17 20:17:37 +02:00
fetch
lib/fetch: default port, error checks and authentication support
2016-09-02 17:50:05 +02:00
portableproplib
lib/portableproplib: fix various oob reads/segfaults
2016-04-07 15:07:11 +02:00
archive.c
xbps-create(1): timestamps of metadata files are now set to epoch.
2015-09-03 11:12:49 +02:00
cb_util.c
Remove the config.h kludge and override vasprintf detection via HAVE_VASPRINTF.
2014-01-20 18:50:33 +01:00
download.c
libxbps: use xbps_strlc{at,py} everywhere.
2016-04-17 20:17:37 +02:00
initend.c
libxbps: use xbps_strlc{at,py} everywhere.
2016-04-17 20:17:37 +02:00
Makefile
Implemented reverse conflicts for pkgs in pkgdb and transaction.
2015-10-28 05:23:42 +01:00
package_alternatives.c
lib/package_alternatives.c: cleanup create_symlinks
2016-09-05 16:03:41 +02:00
package_config_files.c
Fix xbps_dbg_printf arguments by using __attribute__((format, printf)).
2016-02-06 09:13:38 +01:00
package_configure.c
lib/package_configure.c: fix memleak
2016-09-25 21:27:46 +02:00
package_find_obsoletes.c
Keep /usr/sbin if found as obsolete, it's a symlink in void.
2015-06-05 08:29:05 +02:00
package_fulldeptree.c
xbps_get_pkg_fulldeptree: detect pkgs depending on itself via virtual pkgs.
2015-03-20 08:03:06 +01:00
package_msg.c
lib/package_msg.c: fix a heap overflow (noticed by @Gottox).
2014-09-16 09:13:32 +02:00
package_orphans.c
xbps-remove: fix #95 (xbps-remove -R pkg lists/removes orphans)
2015-05-06 17:21:13 +02:00
package_register.c
Remove empty self replaced pkg arrays from pkgdb.
2014-09-14 18:16:43 +02:00
package_remove.c
package_remove: reset errno when a file does not exist (ENOENT).
2015-12-01 08:31:05 +01:00
package_script.c
actually use HAVE_FDATASYNC
2016-02-08 15:09:43 +01:00
package_state.c
Get rid of libfetch and proplib external dependencies.
2013-06-20 10:26:12 +02:00
package_unpack.c
lib/package_unpack.c: verify signed pkgver matches
2017-07-09 12:46:01 +00:00
pkgdb_conversion.c
Introduce xbps_plist_{array,dictionary}_from_file().
2015-05-28 10:15:05 +02:00
pkgdb.c
Fix 29765271e correctly.
2016-03-24 10:23:20 +01:00
plist_fetch.c
libfetch: fix races in the cache connection code.
2014-12-23 10:52:54 +01:00
plist_find.c
Fix 29765271e correctly.
2016-03-24 10:23:20 +01:00
plist_match.c
libxbps: the provides obj now expects exact pkgver strings.
2015-01-10 07:26:23 +01:00
plist_remove.c
Add xbps_remove_{pkgname,string}_from_array() to the API.
2014-09-13 18:13:25 +02:00
plist.c
xbps_array_foreach_cb_multi: handle the case of sysconf returning 0.
2015-11-26 07:18:14 +01:00
proplib_wrapper.c
Introduce xbps_plist_{array,dictionary}_from_file().
2015-05-28 10:15:05 +02:00
pubkey2fp.c
lib: dont call EVP_cleanup in fp2str
2016-04-24 16:40:25 +02:00
repo_pkgdeps.c
Fix xbps_dbg_printf arguments by using __attribute__((format, printf)).
2016-02-06 09:13:38 +01:00
repo_sync.c
xbps_repo_sync: fix regression introduced in 87ca42f3.
2014-10-24 11:16:24 +02:00
repo.c
lib/repo: plug stage repo mem leak
2016-05-04 09:46:14 +02:00
rpool.c
rpool: if pkg wasn't found set errno to ENOENT.
2015-10-19 17:05:55 +02:00
transaction_commit.c
libxbps: initialize locale correctly to handle UTF-8 filenames with musl.
2015-12-11 09:59:16 +01:00
transaction_conflicts.c
conflicts: really fix the issue with on hold pkgs and update test case.
2015-11-12 13:23:00 +01:00
transaction_dictionary.c
Implemented reverse conflicts for pkgs in pkgdb and transaction.
2015-10-28 05:23:42 +01:00
transaction_ops.c
Alternatives framework for xbps (2/2).
2015-10-30 12:24:46 +01:00
transaction_package_replace.c
libxbps: extend the fix for #116 even more for the expected case.
2015-10-19 18:19:24 +02:00
transaction_revdeps.c
libxbps: remove unused variable `pkgdepname'
2015-10-25 20:03:02 +02:00
transaction_shlibs.c
lib/transaction_shlibs.c: fix memleak
2016-09-25 21:47:40 +02:00
transaction_store.c
libxbps: print in verbose mode what pkgs are added to the transaction.
2015-09-02 18:56:20 +02:00
util_hash.c
lib/util_hash.c: fix memleak.
2016-06-20 10:03:49 +02:00
util.c
xbps_symlink_target: fix bug introduced in b81b9ab.
2016-02-04 09:55:46 +01:00
verifysig.c
lib/verifysig.c: use xbps_file_hash_raw()
2016-06-16 06:51:10 +02:00