[pacman-dev] [PATCH] ensure matching database and package version

Levente Polyak anthraxx at archlinux.org
Sat Jul 18 14:55:01 UTC 2015 

While loading each package ensure that the internal version matches the
expected database version to avoid the possibility to circumvent the
version check.
This issue can be used by an attacker to trick the software into
installing an older version. The behavior can be  exploited by a
man-in-the-middle attack through specially crafted  database tarball
containing a higher version, yet actually delivering an  older and
vulnerable version, which was previously shipped.

Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
---
 lib/libalpm/sync.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
index 888ae15..8504e02 100644
--- a/lib/libalpm/sync.c
+++ b/lib/libalpm/sync.c
@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
 	EVENT(handle, &event);

 	for(i = handle->trans->add; i; i = i->next, current++) {
+		int error = 0;
 		alpm_pkg_t *spkg = i->data;
 		char *filepath;
 		int percent = (int)(((double)current_bytes / total_bytes) * 100);
@@ -1232,6 +1233,21 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
 				spkg->name);
 		alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
 		if(!pkgfile) {
+			_alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
+			error = 1;
+		} else {
+			if(strcmp(spkg->name, pkgfile->name) != 0) {
+				_alpm_log(handle, ALPM_LOG_DEBUG, "internal package name missmatch, expected: '%s', actual: '%s'\n",
+						spkg->name, pkgfile->name);
+				error = 1;
+			}
+			if(alpm_pkg_vercmp(spkg->version, pkgfile->version) != 0) {
+				_alpm_log(handle, ALPM_LOG_DEBUG, "internal package version missmatch, expected: '%s', actual: '%s'\n",
+						spkg->version, pkgfile->version);
+				error = 1;
+			}
+		}
+		if(error != 0) {
 			errors++;
 			*data = alpm_list_add(*data, strdup(spkg->filename));
 			free(filepath);
-- 
2.4.6

More information about the pacman-dev mailing list