chiark - git - mdw - termux-packages/blob - disabled-packages/pacman/ensure-matching-database-and-package-version.patch

   1 From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
   2 From: Levente Polyak <anthraxx@archlinux.org>
   3 Date: Sat, 18 Jul 2015 17:58:23 +0200
   4 Subject: [PATCH] ensure matching database and package version
   5
   6 While loading each package ensure that the internal version matches the
   7 expected database version to avoid the possibility to circumvent the
   8 version check.
   9 This issue can be used by an attacker to trick the software into
  10 installing an older version. The behavior can be  exploited by a
  11 man-in-the-middle attack through specially crafted  database tarball
  12 containing a higher version, yet actually delivering an  older and
  13 vulnerable version, which was previously shipped.
  14
  15 Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
  16 Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
  17 Signed-off-by: Allan McRae <allan@archlinux.org>
  18 ---
  19  lib/libalpm/sync.c | 18 ++++++++++++++++++
  20  1 file changed, 18 insertions(+)
  21
  22 diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
  23 index 888ae15..e843b07 100644
  24 --- a/lib/libalpm/sync.c
  25 +++ b/lib/libalpm/sync.c
  26 @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
  27         EVENT(handle, &event);
  28
  29         for(i = handle->trans->add; i; i = i->next, current++) {
  30 +               int error = 0;
  31                 alpm_pkg_t *spkg = i->data;
  32                 char *filepath;
  33                 int percent = (int)(((double)current_bytes / total_bytes) * 100);
  34 @@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
  35                                 spkg->name);
  36                 alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
  37                 if(!pkgfile) {
  38 +                       _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
  39 +                       error = 1;
  40 +               } else {
  41 +                       if(strcmp(spkg->name, pkgfile->name) != 0) {
  42 +                               _alpm_log(handle, ALPM_LOG_DEBUG,
  43 +                                               "internal package name mismatch, expected: '%s', actual: '%s'\n",
  44 +                                               spkg->name, pkgfile->name);
  45 +                               error = 1;
  46 +                       }
  47 +                       if(strcmp(spkg->version, pkgfile->version) != 0) {
  48 +                               _alpm_log(handle, ALPM_LOG_DEBUG,
  49 +                                               "internal package version mismatch, expected: '%s', actual: '%s'\n",
  50 +                                               spkg->version, pkgfile->version);
  51 +                               error = 1;
  52 +                       }
  53 +               }
  54 +               if(error != 0) {
  55                         errors++;
  56                         *data = alpm_list_add(*data, strdup(spkg->filename));
  57                         free(filepath);
  58 --
  59 2.4.6
  60