[arch-commits] Commit in pacman/trunk (2 files)
Allan McRae
allan at archlinux.org
Fri Jul 24 01:55:08 UTC 2015
Date: Friday, July 24, 2015 @ 03:55:08
Author: allan
Revision: 242468
upgpkg: pacman 4.2.1-2
add upstream patch for bad bug
Added:
pacman/trunk/ensure-matching-database-and-package-version.patch
Modified:
pacman/trunk/PKGBUILD
----------------------------------------------------+
PKGBUILD | 10 ++-
ensure-matching-database-and-package-version.patch | 60 +++++++++++++++++++
2 files changed, 69 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-07-23 23:42:50 UTC (rev 242467)
+++ PKGBUILD 2015-07-24 01:55:08 UTC (rev 242468)
@@ -5,7 +5,7 @@
pkgname=pacman
pkgver=4.2.1
-pkgrel=1
+pkgrel=2
pkgdesc="A library-based package manager with dependency support"
arch=('i686' 'x86_64')
url="http://www.archlinux.org/pacman/"
@@ -21,11 +21,13 @@
backup=(etc/pacman.conf etc/makepkg.conf)
options=('strip' 'debug')
source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+ ensure-matching-database-and-package-version.patch
pacman.conf.i686
pacman.conf.x86_64
makepkg.conf)
md5sums=('2a596fc8f723e99660c0869a74afcf47'
'SKIP'
+ 'e8f72afe6f417d11bd36ada042744fe4'
'2db6c94709bb30cc614a176ecf8badb1'
'de74a13618347f08ae4a9637f74471c4'
'03d578816b56852d803cbafac85b9f09')
@@ -32,6 +34,12 @@
validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan at archlinux.org>
+prepare() {
+ cd "$pkgname-$pkgver"
+
+ patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+}
+
build() {
cd "$pkgname-$pkgver"
Added: ensure-matching-database-and-package-version.patch
===================================================================
--- ensure-matching-database-and-package-version.patch (rev 0)
+++ ensure-matching-database-and-package-version.patch 2015-07-24 01:55:08 UTC (rev 242468)
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx at archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be exploited by a
+man-in-the-middle attack through specially crafted database tarball
+containing a higher version, yet actually delivering an older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
+Signed-off-by: Allan McRae <allan at archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ EVENT(handle, &event);
+
+ for(i = handle->trans->add; i; i = i->next, current++) {
++ int error = 0;
+ alpm_pkg_t *spkg = i->data;
+ char *filepath;
+ int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ spkg->name);
+ alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ if(!pkgfile) {
++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++ error = 1;
++ } else {
++ if(strcmp(spkg->name, pkgfile->name) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package name mismatch, expected: '%s', actual: '%s'\n",
++ spkg->name, pkgfile->name);
++ error = 1;
++ }
++ if(strcmp(spkg->version, pkgfile->version) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package version mismatch, expected: '%s', actual: '%s'\n",
++ spkg->version, pkgfile->version);
++ error = 1;
++ }
++ }
++ if(error != 0) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(spkg->filename));
+ free(filepath);
+--
+2.4.6
+
More information about the arch-commits
mailing list