#12564: pkgman install *un*installs the package (if passed a local hpkg, no
problem
with remote hpkr's)
------------------------------+------------------------------
Reporter: ttcoder | Owner: bonefish
Type: enhancement | Status: new
Priority: normal | Milestone: R1
Component: Kits/Package Kit | Version: R1/Development
Keywords: | Blocked By:
Blocking: | Has a Patch: 0
Platform: All |
------------------------------+------------------------------
dsuden keeps running into this vulnerability ever since I told him about
"pkgman install", it's driving me nuts :-)
"Installing" a package which happens to be already installed, actually
results in its de-installation (possibly because one of the performed
steps, involves moving the "old" hpkg into a 'archive' subfolder of
admnistrative, but both the "old" and "new" files are the same ?)
Furthermore, if said package is a dependancy of others, this obviously
results in a cascade of consequences, ouch!
Reproducible "show and tell" session coming up below
----
Some naive enhancement ideas: if one of the package files passed to
BPackageManager::Install() matches an already installed package for the
specified repository...
- reject the transaction as a whole ?
- reject only that part of the transation ?
- start applying the whole transaction, but abort/fail it at the stage of
creating the .hpkg file within /system/packages, before the actual backup-
to-archive stage (maybe might be as simple as tweaking an {{{open()}}}
call, passing it the O_NOCLOBBER.. flag and throwing an exception if
open() returns file-already-exists ?)
- something else ?
Any of the above would result in cutting short the vulnerability exploit
before the package gets uninstalled (and its dependancies if any) which
would be great by me :-)
--
Ticket URL: <https://dev.haiku-os.org/ticket/12564>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.