[pacman-dev] [PATCH] ensure matching database and package version

Andrew Gregory andrew.gregory.8 at gmail.com
Sat Jul 18 15:41:46 UTC 2015 

On 07/18/15 at 04:55pm, Levente Polyak wrote:
> While loading each package ensure that the internal version matches the
> expected database version to avoid the possibility to circumvent the
> version check.
> This issue can be used by an attacker to trick the software into
> installing an older version. The behavior can be  exploited by a
> man-in-the-middle attack through specially crafted  database tarball
> containing a higher version, yet actually delivering an  older and
> vulnerable version, which was previously shipped.
> 
> Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
> Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
> ---
>  lib/libalpm/sync.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
> index 888ae15..8504e02 100644
> --- a/lib/libalpm/sync.c
> +++ b/lib/libalpm/sync.c
> @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
>  	EVENT(handle, &event);
> 
>  	for(i = handle->trans->add; i; i = i->next, current++) {
> +		int error = 0;
>  		alpm_pkg_t *spkg = i->data;
>  		char *filepath;
>  		int percent = (int)(((double)current_bytes / total_bytes) * 100);
> @@ -1232,6 +1233,21 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
>  				spkg->name);
>  		alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
>  		if(!pkgfile) {
> +			_alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
> +			error = 1;
> +		} else {
> +			if(strcmp(spkg->name, pkgfile->name) != 0) {
> +				_alpm_log(handle, ALPM_LOG_DEBUG, "internal package name missmatch, expected: '%s', actual: '%s'\n",

s/missmatch/mismatch/.  Also, we try to stay close to 80 columns,
please wrap these long lines.

> +						spkg->name, pkgfile->name);
> +				error = 1;
> +			}
> +			if(alpm_pkg_vercmp(spkg->version, pkgfile->version) != 0) {

I don't think there's any reason to support different version strings
even if they are equivalent, an ordinary strcmp should suffice.

> +				_alpm_log(handle, ALPM_LOG_DEBUG, "internal package version mismatch, expected: '%s', actual: '%s'\n",
> +						spkg->version, pkgfile->version);

Same as above.

> +				error = 1;
> +			}
> +		}
> +		if(error != 0) {
>  			errors++;
>  			*data = alpm_list_add(*data, strdup(spkg->filename));
>  			free(filepath);
> -- 
> 2.4.6

More information about the pacman-dev mailing list