diff options
Diffstat (limited to 'libre/pacman/ensure-matching-database-and-package-version.patch')
-rw-r--r-- | libre/pacman/ensure-matching-database-and-package-version.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/libre/pacman/ensure-matching-database-and-package-version.patch b/libre/pacman/ensure-matching-database-and-package-version.patch new file mode 100644 index 000000000..4d9170f8b --- /dev/null +++ b/libre/pacman/ensure-matching-database-and-package-version.patch @@ -0,0 +1,60 @@ +From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <anthraxx@archlinux.org> +Date: Sat, 18 Jul 2015 17:58:23 +0200 +Subject: [PATCH] ensure matching database and package version + +While loading each package ensure that the internal version matches the +expected database version to avoid the possibility to circumvent the +version check. +This issue can be used by an attacker to trick the software into +installing an older version. The behavior can be exploited by a +man-in-the-middle attack through specially crafted database tarball +containing a higher version, yet actually delivering an older and +vulnerable version, which was previously shipped. + +Signed-off-by: Levente Polyak <anthraxx@archlinux.org> +Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> +Signed-off-by: Allan McRae <allan@archlinux.org> +--- + lib/libalpm/sync.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c +index 888ae15..e843b07 100644 +--- a/lib/libalpm/sync.c ++++ b/lib/libalpm/sync.c +@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + EVENT(handle, &event); + + for(i = handle->trans->add; i; i = i->next, current++) { ++ int error = 0; + alpm_pkg_t *spkg = i->data; + char *filepath; + int percent = (int)(((double)current_bytes / total_bytes) * 100); +@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + spkg->name); + alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); + if(!pkgfile) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); ++ error = 1; ++ } else { ++ if(strcmp(spkg->name, pkgfile->name) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package name mismatch, expected: '%s', actual: '%s'\n", ++ spkg->name, pkgfile->name); ++ error = 1; ++ } ++ if(strcmp(spkg->version, pkgfile->version) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package version mismatch, expected: '%s', actual: '%s'\n", ++ spkg->version, pkgfile->version); ++ error = 1; ++ } ++ } ++ if(error != 0) { + errors++; + *data = alpm_list_add(*data, strdup(spkg->filename)); + free(filepath); +-- +2.4.6 + |