From 6484ed9849f03971eb48ee1fdc21a2f128247eb1 Mon Sep 17 00:00:00 2001 From: Timo Teräs Date: Wed, 5 Sep 2018 19:49:22 +0300 Subject: rework unpacking of packages and harden package file format requirements A crafted .apk file could to trick apk writing unverified data to an unexpected file during temporary file creation due to bugs in handling long link target name and the way a regular file is extracted. Several hardening steps are implemented to avoid this: - the temporary file is now always first unlinked (apk thus reserved all filenames .apk.* to be it's working files) - the temporary file is after that created with O_EXCL to avoid races - the temporary file is no longer directly the archive entry name and thus directly controlled by potentially untrusted data - long file names and link target names are now rejected - hard link targets are now more rigorously checked - various additional checks added for the extraction process to error out early in case of malformed (or old legacy) file Reported-by: Max Justicz --- src/apk_archive.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/apk_archive.h') diff --git a/src/apk_archive.h b/src/apk_archive.h index 6d1916d..7436dd3 100644 --- a/src/apk_archive.h +++ b/src/apk_archive.h @@ -28,7 +28,8 @@ int apk_tar_write_entry(struct apk_ostream *, const struct apk_file_info *ae, int apk_tar_write_padding(struct apk_ostream *, const struct apk_file_info *ae); int apk_archive_entry_extract(int atfd, const struct apk_file_info *ae, - const char *suffix, struct apk_istream *is, + const char *extract_name, const char *hardlink_name, + struct apk_istream *is, apk_progress_cb cb, void *cb_ctx); #endif -- cgit v1.2.3