618640d Merge remote-tracking branch 'upstream/main' — HardenedBSD-pkg

modified libpkg/fetch_libcurl.c

@@ -364,6 +364,7 @@ curl_fetch(struct pkg_repo *repo, int dest, struct fetch_item *fi)

 	const char *relpath = NULL;
 	const char *userpasswd = get_http_auth();
 	const char *http_proxy = getenv("HTTP_PROXY");
 	const char *http_proxy_auth = getenv("HTTP_PROXY_AUTH");
 	const char *sslkey = getenv("SSL_CLIENT_KEY_FILE");
 	const char *sslcert = getenv("SSL_CLIENT_CERT_FILE");
 	const char *ssl_ca_cert_file = getenv("SSL_CA_CERT_FILE");

@@ -453,6 +454,10 @@ do_retry:

 	}
 	if (http_proxy != NULL)
 		curl_easy_setopt(cl, CURLOPT_PROXY, http_proxy);
 	if (http_proxy_auth != NULL) {
 		curl_easy_setopt(cl, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
 		curl_easy_setopt(cl, CURLOPT_PROXYUSERPWD, http_proxy_auth);
 	}
 	if (sslkey != NULL)
 		curl_easy_setopt(cl, CURLOPT_SSLKEY, sslkey);
 	if (sslcert != NULL)

modified libpkg/pkg.h.in

@@ -1752,6 +1752,7 @@ pkg_get_i(struct pkg *p, pkg_attr a, int64_t *val)

 		break;
 	case PKG_KVLIST:
 		free(e->stringlist);
 		break;
 	case PKG_STRINGLIST:
 		free(e->kvlist);
 		break;

@@ -1778,6 +1779,7 @@ pkg_get_b(struct pkg *p, pkg_attr a, bool *val)

 		break;
 	case PKG_KVLIST:
 		free(e->stringlist);
 		break;
 	case PKG_STRINGLIST:
 		free(e->kvlist);
 		break;

modified libpkg/pkg_repo_create.c

@@ -4,8 +4,8 @@

  * Copyright (c) 2011-2012 Marin Atanasov Nikolov <dnaeon@gmail.com>
  * Copyright (c) 2012-2013 Matthew Seaman <matthew@FreeBSD.org>
  * Copyright (c) 2014 Vsevolod Stakhov <vsevolod@FreeBSD.org>
  * Copyright (c) 2023 Serenity Cyber Security, LLC
  *                    Author: Gleb Popov <arrowd@FreeBSD.org>
  * Copyright (c) 2023-2024 Serenity Cyber Security, LLC
  *                         Author: Gleb Popov <arrowd@FreeBSD.org>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

@@ -462,40 +462,40 @@ group_load(struct pkg_repo_create *prc, int dfd, const char *name, ucl_object_t

 	ucl_array_append(prc->groups, obj);
 }
 static const char group_schema_str[] = ""
 	"{"
 	"  type = object;"
 	"  properties: {"
 	"    name: { type = string };"
 	"    requires: { "
 	"      type = array;"
 	"      item = { type = string };"
 	"    };"
 	"    depends: { "
 	"      type = array;"
 	"      item = { type = string };"
 	"    };"
 	"    comment: { type = string };"
 	"  };"
 	"  required = [ name, comment ];"
 	"};";
 static ucl_object_t *
 group_open_schema(void)
 open_schema(const char* schema_str, size_t schema_str_len)
 {
 	struct ucl_parser *parser;
 	ucl_object_t *group_schema;
 	static const char group_schema_str[] = ""
 		"{"
 		"  type = object;"
 		"  properties: {"
 		"    name: { type = string };"
 		"    requires: { "
 		"      type = array;"
 		"      item = { type = string };"
 		"    };"
 		"    depends: { "
 		"      type = array;"
 		"      item = { type = string };"
 		"    };"
 		"    comment: { type = string };"
 		"  };"
 		"  required = [ name, comment ];"
 		"};";
 	ucl_object_t *schema;
 	parser = ucl_parser_new(UCL_PARSER_NO_FILEVARS);
 	if (!ucl_parser_add_chunk(parser, group_schema_str,
 	    sizeof(group_schema_str) -1)) {
 	if (!ucl_parser_add_chunk(parser, schema_str,
 	    schema_str_len - 1)) {
 		pkg_emit_error("Cannot parse schema for group: %s",
 		    ucl_parser_get_error(parser));
 		    ucl_parser_free(parser);
 		    return (NULL);
 	}
 	group_schema = ucl_parser_get_object(parser);
 	schema = ucl_parser_get_object(parser);
 	ucl_parser_free(parser);
 	return (group_schema);
 	return (schema);
 }
 void

@@ -519,7 +519,7 @@ pkg_repo_create_set_groups(struct pkg_repo_create *prc, const char *path)

 		return;
 	}
 	schema = group_open_schema();
 	schema = open_schema(group_schema_str, sizeof(group_schema_str));
 	while ((e = readdir(d)) != NULL) {
 		const char *ext;

@@ -535,12 +535,13 @@ pkg_repo_create_set_groups(struct pkg_repo_create *prc, const char *path)

 		/* only regular files are considered */
 		if (fstatat(dfd, e->d_name, &st, AT_SYMLINK_NOFOLLOW) != 0) {
 			pkg_emit_errno("fstatat", e->d_name);
 			return;
 			goto cleanup;
 		}
 		if (!S_ISREG(st.st_mode))
 			continue;
 		group_load(prc, dfd, e->d_name, schema);
 	}
 cleanup:
 	closedir(d);
 	ucl_object_unref(schema);
 }

modified libpkg/pkgdb_iterator.c

@@ -515,7 +515,7 @@ static int

 pkgdb_load_license(sqlite3 *sqlite, struct pkg *pkg)
 {
 	const char	 sql[] = ""
 		"SELECT name "
 		"SELECT ifnull(group_concat(name, ', '), '') AS name"
 		"  FROM pkg_licenses, licenses AS l"
 		"  WHERE package_id = ?1"
 		"    AND license_id = l.id"

modified scripts/periodic/405.pkg-base-audit.in

@@ -46,12 +46,6 @@ fi

 : ${security_status_baseaudit_jails_ignore+=""}
 : ${security_status_baseaudit_expiry:=2}
 security_daily_compat_var security_status_baseaudit_enable
 security_daily_compat_var security_status_baseaudit_quiet
 security_daily_compat_var security_status_baseaudit_chroots
 security_daily_compat_var security_status_baseaudit_jails
 security_daily_compat_var security_status_baseaudit_expiry
 # Compute PKG_DBDIR from the config file.
 pkgcmd=%prefix%/sbin/pkg
 PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`

@@ -69,7 +63,7 @@ audit_base() {

 	local chrootv
 	local jailv
 	local jid
 	# get version from chroot
 	if [ -n "`echo "$pkgargs" | egrep '^-c'`" ]; then
 		if [ -x "$basedir/bin/freebsd-version" ]; then

modified scripts/periodic/410.pkg-audit.in

@@ -47,12 +47,6 @@ fi

 : ${security_status_pkgaudit_expiration:=YES}
 : ${security_status_pkgaudit_deprecation:=YES}
 security_daily_compat_var security_status_pkgaudit_enable
 security_daily_compat_var security_status_pkgaudit_quiet
 security_daily_compat_var security_status_pkgaudit_chroots
 security_daily_compat_var security_status_pkgaudit_jails
 security_daily_compat_var security_status_pkgaudit_expiry
 # Compute PKG_DBDIR from the config file.
 pkgcmd=%prefix%/sbin/pkg
 PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`

modified scripts/periodic/460.pkg-checksum.in

@@ -15,10 +15,6 @@ fi

 : ${security_status_pkg_checksum_chroots=$pkg_chroots}
 : ${security_status_pkg_checksum_jails=$pkg_jails}
 security_daily_compat_var security_status_pkg_checksum_enable
 security_daily_compat_var security_status_pkg_checksum_chroots
 security_daily_compat_var security_status_pkg_checksum_jails
 checksum_pkg() {
     local pkgargs="$1"
     local rc

modified src/clean.c

@@ -58,6 +58,7 @@

 #include "pkgcli.h"
 #include "pkghash.h"
 #include "xmalloc.h"
 typedef tll(char *) dl_list;

@@ -78,7 +79,7 @@ add_to_dellist(int fd, dl_list *dl, const char *cachedir, const char *path)

 	assert(path != NULL);
 	store_path = strdup(path);
 	store_path = xstrdup(path);
 	if (!quiet) {
 		if (first_entry) {

modified src/event.c

@@ -60,6 +60,7 @@

 #include "pkg.h"
 #include "pkgcli.h"
 #include "xmalloc.h"
 #define STALL_TIME 5

@@ -683,7 +684,7 @@ event_callback(void *data, struct pkg_event *ev)

 			signal(SIGINT, cleanup_handler);
 			signal_handler_installed = true;
 		}
 		evtmp = malloc(sizeof(struct cleanup));
 		evtmp = xmalloc(sizeof(struct cleanup));
 		evtmp->cb = ev->e_cleanup_callback.cleanup_cb;
 		evtmp->data = ev->e_cleanup_callback.data;
 		tll_push_back(cleanup_list, evtmp);

modified tests/frontend/pubkey.sh

@@ -31,20 +31,7 @@ ecc_test() {

 	mkdir fakerepo
 	cat >> test.ucl << EOF
 name: test
 origin: test
 version: "1"
 maintainer: test
 categories: [test]
 comment: a test
 www: http://test
 prefix: /
 abi = "*";
 desc: <<EOD
 Yet another test
 EOD
 EOF
 	sh ${RESOURCEDIR}/test_subr.sh new_pkg test test 1 /
 	atf_check -o ignore -e ignore \
 		pkg create -M test.ucl -o fakerepo

@@ -62,6 +49,10 @@ EOF

 		-o ignore \
 		pkg -o REPOS_DIR="${TMPDIR}" \
 		-o ${PKG_CACHEDIR}="${TMPDIR}" update
 	atf_check -o inline:"1\n" \
 		pkg -o REPOS_DIR="${TMPDIR}" \
 		-o ${PKG_CACHEDIR}="${TMPDIR}" rquery -U %v test
 }
 pubkey_ecdsa_body() {

@@ -77,20 +68,7 @@ pubkey_rsa_body() {

 		pkg key --create repo.key
 	mkdir fakerepo
 	cat >> test.ucl << EOF
 name: test
 origin: test
 version: "1"
 maintainer: test
 categories: [test]
 comment: a test
 www: http://test
 prefix: /
 abi = "*";
 desc: <<EOD
 Yet another test
 EOD
 EOF
 	atf_check sh ${RESOURCEDIR}/test_subr.sh new_pkg test test 1 /
 	atf_check -o ignore -e ignore \
 		pkg create -M test.ucl -o fakerepo

@@ -108,6 +86,10 @@ EOF

 		-o ignore \
 		pkg -o REPOS_DIR="${TMPDIR}" \
 		-o ${PKG_CACHEDIR}="${TMPDIR}" update
 	atf_check -o inline:"1\n" \
 		pkg -o REPOS_DIR="${TMPDIR}" \
 		-o ${PKG_CACHEDIR}="${TMPDIR}" rquery -U %v test
 }
 # Legacy format, unprefixed key passed to pkg-repo

@@ -116,20 +98,7 @@ pubkey_legacy_body() {

 		pkg key --create repo.key
 	mkdir fakerepo
 	cat >> test.ucl << EOF
 name: test
 origin: test
 version: "1"
 maintainer: test
 categories: [test]
 comment: a test
 www: http://test
 prefix: /
 abi = "*";
 desc: <<EOD
 Yet another test
 EOD
 EOF
 	atf_check sh ${RESOURCEDIR}/test_subr.sh new_pkg test test 1 /
 	atf_check -o ignore -e ignore \
 		pkg create -M test.ucl -o fakerepo

@@ -147,5 +116,9 @@ EOF

 		-o ignore \
 		pkg -o REPOS_DIR="${TMPDIR}" \
 		-o ${PKG_CACHEDIR}="${TMPDIR}" update
 	atf_check -o inline:"1\n" \
 		pkg -o REPOS_DIR="${TMPDIR}" \
 		-o ${PKG_CACHEDIR}="${TMPDIR}" rquery -U %v test
 }

modified tests/frontend/updating.sh

@@ -34,27 +34,19 @@ EOF

 }
 updating_pkg_body() {
 	cat > test.ucl << EOF
 name: "pkg"
 origin: "ports-mgmt/pkg"
 version: "1.10.5"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg pkg pkg 1.10.5 /usr/local
 	cat >> pkg.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M pkg.ucl
 	cat > UPDATING <<EOF
 20190619:
   AFFECTS: ports-mgmt/pkg
   AFFECTS: pkg
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -66,33 +58,25 @@ EOF

 }
 updating_perl_body() {
 	cat > test.ucl << EOF
 name: "perl5.26"
 origin: "lang/perl5.26"
 version: "5.26_3"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg perl perl5.26 5.26 /usr/local
 	cat >> perl.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M perl.ucl
 	cat > UPDATING <<EOF
 20190620:
   AFFECTS: lang/perl5.*
   AFFECTS: perl5.*
   AUTHOR: ports@FreeBSD.org
   Messages...
 20190621:
   AFFECTS: lang/perl5*
   AFFECTS: perl5*
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -105,27 +89,19 @@ EOF

 }
 updating_samba_body() {
 	cat > test.ucl << EOF
 name: "samba47"
 origin: "net/samba47"
 version: "4.7.12"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg samba samba47 4.7.12 /usr/local
 	cat >> samba.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M samba.ucl
 	cat > UPDATING <<EOF
 20190622:
   AFFECTS: net/samba4[678]
   AFFECTS: samba4[678]
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -137,27 +113,19 @@ EOF

 }
 updating_ilmbase_body() {
 	cat > test.ucl << EOF
 name: "ilmbase"
 origin: "graphics/ilmbase"
 version: "2.3.0_2"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg ilmbase ilmbase 2.3.0_2 /usr/local
 	cat >> ilmbase.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M ilmbase.ucl
 	cat > UPDATING <<EOF
 20190623:
   AFFECTS: users of graphics/ilmbase, graphics/OpenEXR
   AFFECTS: users of ilmbase, graphics/OpenEXR
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -169,27 +137,19 @@ EOF

 }
 updating_mysql_body() {
 	cat > test.ucl << EOF
 name: "mysql55-server"
 origin: "databases/mysql55-server"
 version: "5.5.62_1"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg mysql mysql55-server 5.5.62_1 /usr/local
 	cat >> mysql.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M mysql.ucl
 	cat > UPDATING <<EOF
 20190626:
   AFFECTS: users of databases/mysql55-(server|client)
   AFFECTS: users of mysql55-(server|client)
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -201,27 +161,19 @@ EOF

 }
 updating_postgresql_body() {
 	cat > test.ucl << EOF
 name: "postgresql95-server"
 origin: "databases/postgresql95-server"
 version: "9.5.17"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg postgresql postgresql95-server 9.5.17 /usr/local
 	cat >> postgresql.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M postgresql.ucl
 	cat > UPDATING <<EOF
 20190627:
   AFFECTS: users of databases/postgresql??-(server|client)
   AFFECTS: users of postgresql??-(server|client)
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -233,27 +185,19 @@ EOF

 }
 updating_cupsbase_body() {
 	cat > test.ucl << EOF
 name: "cups-base"
 origin: "print/cups-base"
 version: "2.2.1"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg cups-base cups-base 2.2.1 /usr/local
 	cat >> cups-base.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M cups-base.ucl
 	cat > UPDATING <<EOF
 20190628:
   AFFECTS: users of print/cups-{base,client,image}
   AFFECTS: users of cups-{base,client,image}
   AUTHOR: ports@FreeBSD.org
   Messages...

@@ -265,27 +209,19 @@ EOF

 }
 updating_cups_body() {
 	cat > test.ucl << EOF
 name: "cups"
 origin: "print/cups"
 version: "2.2.1"
 arch: "*"
 maintainer: "none"
 prefix: "/usr/local"
 www: "unknown"
 comment: "need one"
 desc: "also need one"
 	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg cups cups 2.2.1 /usr/local
 	cat >> cups.ucl << EOF
 message: [
 	{ message: "Always print" }
 ]
 EOF
 	atf_check \
 		-o match:".*Installing.*" \
 		pkg register -M test.ucl
 		pkg register -M cups.ucl
 	cat > UPDATING <<EOF
 20190628:
   AFFECTS: users of print/cups-{base,client,image}
   AFFECTS: users of cups-{base,client,image}
   AUTHOR: ports@FreeBSD.org
   Messages...