mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2024-11-08 22:45:43 +00:00
core/pacman to 4.2.1-2
This commit is contained in:
parent
1f38cf9817
commit
98ebd1c9c0
2 changed files with 65 additions and 1 deletions
|
@ -11,7 +11,7 @@
|
|||
|
||||
pkgname=pacman
|
||||
pkgver=4.2.1
|
||||
pkgrel=1
|
||||
pkgrel=2
|
||||
pkgdesc="A library-based package manager with dependency support"
|
||||
arch=('i686' 'x86_64')
|
||||
url="http://www.archlinux.org/pacman/"
|
||||
|
@ -28,11 +28,13 @@ replaces=('pacman-contrib')
|
|||
backup=(etc/pacman.conf etc/makepkg.conf)
|
||||
options=('strip' 'debug')
|
||||
source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
|
||||
ensure-matching-database-and-package-version.patch
|
||||
0001-Sychronize-filesystem.patch
|
||||
pacman.conf
|
||||
makepkg.conf)
|
||||
md5sums=('2a596fc8f723e99660c0869a74afcf47'
|
||||
'SKIP'
|
||||
'e8f72afe6f417d11bd36ada042744fe4'
|
||||
'291123878ec33ca8a3020ac85f2e91d1'
|
||||
'5c491b27bae54d93d6ba972ce0fccfa7'
|
||||
'c88c41076f26e97c6915d8b967df96e7')
|
||||
|
@ -40,6 +42,8 @@ validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan@
|
|||
|
||||
prepare() {
|
||||
cd $srcdir/$pkgname-$pkgver
|
||||
|
||||
patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
|
||||
patch -p1 -i ../0001-Sychronize-filesystem.patch
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
|
||||
From: Levente Polyak <anthraxx@archlinux.org>
|
||||
Date: Sat, 18 Jul 2015 17:58:23 +0200
|
||||
Subject: [PATCH] ensure matching database and package version
|
||||
|
||||
While loading each package ensure that the internal version matches the
|
||||
expected database version to avoid the possibility to circumvent the
|
||||
version check.
|
||||
This issue can be used by an attacker to trick the software into
|
||||
installing an older version. The behavior can be exploited by a
|
||||
man-in-the-middle attack through specially crafted database tarball
|
||||
containing a higher version, yet actually delivering an older and
|
||||
vulnerable version, which was previously shipped.
|
||||
|
||||
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
|
||||
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
|
||||
Signed-off-by: Allan McRae <allan@archlinux.org>
|
||||
---
|
||||
lib/libalpm/sync.c | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
|
||||
index 888ae15..e843b07 100644
|
||||
--- a/lib/libalpm/sync.c
|
||||
+++ b/lib/libalpm/sync.c
|
||||
@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
|
||||
EVENT(handle, &event);
|
||||
|
||||
for(i = handle->trans->add; i; i = i->next, current++) {
|
||||
+ int error = 0;
|
||||
alpm_pkg_t *spkg = i->data;
|
||||
char *filepath;
|
||||
int percent = (int)(((double)current_bytes / total_bytes) * 100);
|
||||
@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
|
||||
spkg->name);
|
||||
alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
|
||||
if(!pkgfile) {
|
||||
+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
|
||||
+ error = 1;
|
||||
+ } else {
|
||||
+ if(strcmp(spkg->name, pkgfile->name) != 0) {
|
||||
+ _alpm_log(handle, ALPM_LOG_DEBUG,
|
||||
+ "internal package name mismatch, expected: '%s', actual: '%s'\n",
|
||||
+ spkg->name, pkgfile->name);
|
||||
+ error = 1;
|
||||
+ }
|
||||
+ if(strcmp(spkg->version, pkgfile->version) != 0) {
|
||||
+ _alpm_log(handle, ALPM_LOG_DEBUG,
|
||||
+ "internal package version mismatch, expected: '%s', actual: '%s'\n",
|
||||
+ spkg->version, pkgfile->version);
|
||||
+ error = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ if(error != 0) {
|
||||
errors++;
|
||||
*data = alpm_list_add(*data, strdup(spkg->filename));
|
||||
free(filepath);
|
||||
--
|
||||
2.4.6
|
||||
|
Loading…
Reference in a new issue