The ed25519 signature verification code does not
check that the signature is a minimum/correct length.
As a result, if the signature is too short, libsodium will end up
reading a few bytes out of bounds.
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Co-authored-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Closes: https://github.com/ostreedev/ostree/security/advisories/GHSA-gqf4-p3gv-g8vw
For historical reasons we have a fair bit of distinct sysroot
initialization going on. A lot of code is calling *just* the new
`ensure_writable()` API, which does basically what you'd expect...
except if we're not using a mount namespace.
Which is the case in unit tests and legacy setups.
Change this API to also ensure the sysroot is fully initialized
even in those cases. Specifically we'll have `self->sysroot_fd`.
For now, callers that need `/boot` also need to separately
call `_ensure_boot_fd()`.
This PR is followup from https://github.com/coreos/coreos-assembler/pull/2863
Summary of changes:
- Moved bls-append-except-default parsing logic to reload_sysroot_config()
- Made sure heap allocated memory is being freed
It's falliable, and in one place we were actually ignoring
the error and leaving a `NULL` repo object which is just a trap
for people coming along later since it's rarely nullable.
Quite a while ago we switched to loading the repo at the same time
as the sysroot; convert callers in the library to use this infallible
accessor.
Prep for another patch which will use the repo object.
After landing the new --commit-only functionality, we still noticed
exceedingly long pruning times in large repos. Lets add an optimization
that will only retrieve commit objects when --commit-only flag is used.
update all existing deployments in place
Example:
$ sudo ostree admin kargs edit-in-place --append-if-missing=rw
See https://github.com/ostreedev/ostree/issues/2617
This will not add duplicate key, if there is `TESTARG=VAL1` in the
kernel arguments, `--append-if-missing=TESTARG=VAL2` will be ignored.
We recently discovered `list_objects()` is inefficient with memory.
The more efficient `list_objects_set()` API isn't yet public, but
this fsck code actually just skips over non-commit objects, and
we already have an API to list just those.
I messed this up; the last release should inherit from the previous
release (N-1) and not the previous to that (N-2).
I think (hope) this isn't an ABI break...
Just noticed this when I was going to add a new symbol.
In a prior change we discovered that for bad historical reasons
libostree was returning a mapping "object type+checksum" => "metadata"
but the "metadata" was redundant and pointless.
Optimize the prune API to use a (currently internal) object listing
API which returns a set, not a map. This allows `GHashTable` to
avoid allocating a separate array for the values, neatly cutting
memory usage in half (from ~13MB to ~6MB) on my test case of a
dry-run prune of a FCOS build.
I was looking at https://github.com/ostreedev/ostree/pull/2632
and confused at the usage of
`GVariant *value = g_variant_new ("(b@as)", TRUE, g_variant_new_strv (NULL, 0));`
which looked strange - why the empty strv?
It turns out that this is a historical legacy of the time when
ostree had pack files. And nothing actually cares about the values
of these variants; we should have an API that returns a proper set,
and not a hash.
But...since all of these things have exactly the same value, instead
of allocating lots of redundant copies on the heap, just have
them all hold a refcount on a shared value.
This cuts the heap usage from 20MB to 13MB on a test FCOS repository
build.
It inherently depends on the individual build, and can't
really be an official stable API for introspection users.
I've noticed the value of this flip flop when doing local builds.
I'm fairly certain no one is trying to use it from a higher level
language.
It'd probably make sense to even drop from the official C API,
but I'm trying to be conservative with that.
I was looking at our `.gir` and noticed we had the cmdprivate bits
because the pattern for excluding headers is `-private.h`, which
didn't match `cmdprivate.h`.
(nullable) and (optional) were missing on lookup()'s out parameters,
which caused the rust bindings for the function to not work. Due to the
missing (nullable), it would return a Result<(GString, MutableTree), _>,
not a Result<(Option<GString>, Option<MutableTree>), _>, which led to
panics.
Simon McVittie
Colin Walters
Huijing Hei
Saqib Ali
Nikita Dubrovskii
Jonathan Lebon
Joseph Marrero Corchado
Dan Nicholson
James Westman