mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2024-11-18 22:54:00 +00:00
core/pacman to 4.2.1-2
This commit is contained in:
parent
1f38cf9817
commit
98ebd1c9c0
2 changed files with 65 additions and 1 deletions
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
pkgname=pacman
|
pkgname=pacman
|
||||||
pkgver=4.2.1
|
pkgver=4.2.1
|
||||||
pkgrel=1
|
pkgrel=2
|
||||||
pkgdesc="A library-based package manager with dependency support"
|
pkgdesc="A library-based package manager with dependency support"
|
||||||
arch=('i686' 'x86_64')
|
arch=('i686' 'x86_64')
|
||||||
url="http://www.archlinux.org/pacman/"
|
url="http://www.archlinux.org/pacman/"
|
||||||
|
@ -28,11 +28,13 @@ replaces=('pacman-contrib')
|
||||||
backup=(etc/pacman.conf etc/makepkg.conf)
|
backup=(etc/pacman.conf etc/makepkg.conf)
|
||||||
options=('strip' 'debug')
|
options=('strip' 'debug')
|
||||||
source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
|
source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
|
||||||
|
ensure-matching-database-and-package-version.patch
|
||||||
0001-Sychronize-filesystem.patch
|
0001-Sychronize-filesystem.patch
|
||||||
pacman.conf
|
pacman.conf
|
||||||
makepkg.conf)
|
makepkg.conf)
|
||||||
md5sums=('2a596fc8f723e99660c0869a74afcf47'
|
md5sums=('2a596fc8f723e99660c0869a74afcf47'
|
||||||
'SKIP'
|
'SKIP'
|
||||||
|
'e8f72afe6f417d11bd36ada042744fe4'
|
||||||
'291123878ec33ca8a3020ac85f2e91d1'
|
'291123878ec33ca8a3020ac85f2e91d1'
|
||||||
'5c491b27bae54d93d6ba972ce0fccfa7'
|
'5c491b27bae54d93d6ba972ce0fccfa7'
|
||||||
'c88c41076f26e97c6915d8b967df96e7')
|
'c88c41076f26e97c6915d8b967df96e7')
|
||||||
|
@ -40,6 +42,8 @@ validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan@
|
||||||
|
|
||||||
prepare() {
|
prepare() {
|
||||||
cd $srcdir/$pkgname-$pkgver
|
cd $srcdir/$pkgname-$pkgver
|
||||||
|
|
||||||
|
patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
|
||||||
patch -p1 -i ../0001-Sychronize-filesystem.patch
|
patch -p1 -i ../0001-Sychronize-filesystem.patch
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Levente Polyak <anthraxx@archlinux.org>
|
||||||
|
Date: Sat, 18 Jul 2015 17:58:23 +0200
|
||||||
|
Subject: [PATCH] ensure matching database and package version
|
||||||
|
|
||||||
|
While loading each package ensure that the internal version matches the
|
||||||
|
expected database version to avoid the possibility to circumvent the
|
||||||
|
version check.
|
||||||
|
This issue can be used by an attacker to trick the software into
|
||||||
|
installing an older version. The behavior can be exploited by a
|
||||||
|
man-in-the-middle attack through specially crafted database tarball
|
||||||
|
containing a higher version, yet actually delivering an older and
|
||||||
|
vulnerable version, which was previously shipped.
|
||||||
|
|
||||||
|
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
|
||||||
|
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
|
||||||
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
||||||
|
---
|
||||||
|
lib/libalpm/sync.c | 18 ++++++++++++++++++
|
||||||
|
1 file changed, 18 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
|
||||||
|
index 888ae15..e843b07 100644
|
||||||
|
--- a/lib/libalpm/sync.c
|
||||||
|
+++ b/lib/libalpm/sync.c
|
||||||
|
@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
|
||||||
|
EVENT(handle, &event);
|
||||||
|
|
||||||
|
for(i = handle->trans->add; i; i = i->next, current++) {
|
||||||
|
+ int error = 0;
|
||||||
|
alpm_pkg_t *spkg = i->data;
|
||||||
|
char *filepath;
|
||||||
|
int percent = (int)(((double)current_bytes / total_bytes) * 100);
|
||||||
|
@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
|
||||||
|
spkg->name);
|
||||||
|
alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
|
||||||
|
if(!pkgfile) {
|
||||||
|
+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
|
||||||
|
+ error = 1;
|
||||||
|
+ } else {
|
||||||
|
+ if(strcmp(spkg->name, pkgfile->name) != 0) {
|
||||||
|
+ _alpm_log(handle, ALPM_LOG_DEBUG,
|
||||||
|
+ "internal package name mismatch, expected: '%s', actual: '%s'\n",
|
||||||
|
+ spkg->name, pkgfile->name);
|
||||||
|
+ error = 1;
|
||||||
|
+ }
|
||||||
|
+ if(strcmp(spkg->version, pkgfile->version) != 0) {
|
||||||
|
+ _alpm_log(handle, ALPM_LOG_DEBUG,
|
||||||
|
+ "internal package version mismatch, expected: '%s', actual: '%s'\n",
|
||||||
|
+ spkg->version, pkgfile->version);
|
||||||
|
+ error = 1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if(error != 0) {
|
||||||
|
errors++;
|
||||||
|
*data = alpm_list_add(*data, strdup(spkg->filename));
|
||||||
|
free(filepath);
|
||||||
|
--
|
||||||
|
2.4.6
|
||||||
|
|
Loading…
Reference in a new issue