[pacman-dev] [PATCH] ensure matching database and package version
While loading each package ensure that the internal version matches the expected database version to avoid the possibility to circumvent the version check. This issue can be used by an attacker to trick the software into installing an older version. The behavior can be exploited by a man-in-the-middle attack through specially crafted database tarball containing a higher version, yet actually delivering an older and vulnerable version, which was previously shipped. Signed-off-by: Levente Polyak <anthraxx@archlinux.org> Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> --- lib/libalpm/sync.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 888ae15..8504e02 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, EVENT(handle, &event); for(i = handle->trans->add; i; i = i->next, current++) { + int error = 0; alpm_pkg_t *spkg = i->data; char *filepath; int percent = (int)(((double)current_bytes / total_bytes) * 100); @@ -1232,6 +1233,21 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, spkg->name); alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); if(!pkgfile) { + _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); + error = 1; + } else { + if(strcmp(spkg->name, pkgfile->name) != 0) { + _alpm_log(handle, ALPM_LOG_DEBUG, "internal package name missmatch, expected: '%s', actual: '%s'\n", + spkg->name, pkgfile->name); + error = 1; + } + if(alpm_pkg_vercmp(spkg->version, pkgfile->version) != 0) { + _alpm_log(handle, ALPM_LOG_DEBUG, "internal package version missmatch, expected: '%s', actual: '%s'\n", + spkg->version, pkgfile->version); + error = 1; + } + } + if(error != 0) { errors++; *data = alpm_list_add(*data, strdup(spkg->filename)); free(filepath); -- 2.4.6
On Sat, 18 Jul 2015 17:03:01 +0200 Jens Adam <jra@byte.cx> wrote:
Nice. :] Context: https://bugs.archlinux.org/task/45657
--byte
This is more towards https://bugs.archlinux.org/task/45687
On 07/18/15 at 04:55pm, Levente Polyak wrote:
While loading each package ensure that the internal version matches the expected database version to avoid the possibility to circumvent the version check. This issue can be used by an attacker to trick the software into installing an older version. The behavior can be exploited by a man-in-the-middle attack through specially crafted database tarball containing a higher version, yet actually delivering an older and vulnerable version, which was previously shipped.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org> Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> --- lib/libalpm/sync.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 888ae15..8504e02 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, EVENT(handle, &event);
for(i = handle->trans->add; i; i = i->next, current++) { + int error = 0; alpm_pkg_t *spkg = i->data; char *filepath; int percent = (int)(((double)current_bytes / total_bytes) * 100); @@ -1232,6 +1233,21 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, spkg->name); alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); if(!pkgfile) { + _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); + error = 1; + } else { + if(strcmp(spkg->name, pkgfile->name) != 0) { + _alpm_log(handle, ALPM_LOG_DEBUG, "internal package name missmatch, expected: '%s', actual: '%s'\n",
s/missmatch/mismatch/. Also, we try to stay close to 80 columns, please wrap these long lines.
+ spkg->name, pkgfile->name); + error = 1; + } + if(alpm_pkg_vercmp(spkg->version, pkgfile->version) != 0) {
I don't think there's any reason to support different version strings even if they are equivalent, an ordinary strcmp should suffice.
+ _alpm_log(handle, ALPM_LOG_DEBUG, "internal package version mismatch, expected: '%s', actual: '%s'\n", + spkg->version, pkgfile->version);
Same as above.
+ error = 1; + } + } + if(error != 0) { errors++; *data = alpm_list_add(*data, strdup(spkg->filename)); free(filepath); -- 2.4.6
While loading each package ensure that the internal version matches the expected database version to avoid the possibility to circumvent the version check. This issue can be used by an attacker to trick the software into installing an older version. The behavior can be exploited by a man-in-the-middle attack through specially crafted database tarball containing a higher version, yet actually delivering an older and vulnerable version, which was previously shipped. Signed-off-by: Levente Polyak <anthraxx@archlinux.org> Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> --- lib/libalpm/sync.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 888ae15..e843b07 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, EVENT(handle, &event); for(i = handle->trans->add; i; i = i->next, current++) { + int error = 0; alpm_pkg_t *spkg = i->data; char *filepath; int percent = (int)(((double)current_bytes / total_bytes) * 100); @@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, spkg->name); alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); if(!pkgfile) { + _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); + error = 1; + } else { + if(strcmp(spkg->name, pkgfile->name) != 0) { + _alpm_log(handle, ALPM_LOG_DEBUG, + "internal package name mismatch, expected: '%s', actual: '%s'\n", + spkg->name, pkgfile->name); + error = 1; + } + if(strcmp(spkg->version, pkgfile->version) != 0) { + _alpm_log(handle, ALPM_LOG_DEBUG, + "internal package version mismatch, expected: '%s', actual: '%s'\n", + spkg->version, pkgfile->version); + error = 1; + } + } + if(error != 0) { errors++; *data = alpm_list_add(*data, strdup(spkg->filename)); free(filepath); -- 2.4.6
participants (4)
-
Andrew Gregory
-
Doug Newgard
-
Jens Adam
-
Levente Polyak