core/pacman to 4.2.1-2

This commit is contained in:
Kevin Mihelich 2015-07-26 14:45:50 +00:00
parent 1f38cf9817
commit 98ebd1c9c0
2 changed files with 65 additions and 1 deletions

View file

@ -11,7 +11,7 @@
pkgname=pacman pkgname=pacman
pkgver=4.2.1 pkgver=4.2.1
pkgrel=1 pkgrel=2
pkgdesc="A library-based package manager with dependency support" pkgdesc="A library-based package manager with dependency support"
arch=('i686' 'x86_64') arch=('i686' 'x86_64')
url="http://www.archlinux.org/pacman/" url="http://www.archlinux.org/pacman/"
@ -28,11 +28,13 @@ replaces=('pacman-contrib')
backup=(etc/pacman.conf etc/makepkg.conf) backup=(etc/pacman.conf etc/makepkg.conf)
options=('strip' 'debug') options=('strip' 'debug')
source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig} source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
ensure-matching-database-and-package-version.patch
0001-Sychronize-filesystem.patch 0001-Sychronize-filesystem.patch
pacman.conf pacman.conf
makepkg.conf) makepkg.conf)
md5sums=('2a596fc8f723e99660c0869a74afcf47' md5sums=('2a596fc8f723e99660c0869a74afcf47'
'SKIP' 'SKIP'
'e8f72afe6f417d11bd36ada042744fe4'
'291123878ec33ca8a3020ac85f2e91d1' '291123878ec33ca8a3020ac85f2e91d1'
'5c491b27bae54d93d6ba972ce0fccfa7' '5c491b27bae54d93d6ba972ce0fccfa7'
'c88c41076f26e97c6915d8b967df96e7') 'c88c41076f26e97c6915d8b967df96e7')
@ -40,6 +42,8 @@ validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan@
prepare() { prepare() {
cd $srcdir/$pkgname-$pkgver cd $srcdir/$pkgname-$pkgver
patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
patch -p1 -i ../0001-Sychronize-filesystem.patch patch -p1 -i ../0001-Sychronize-filesystem.patch
} }

View file

@ -0,0 +1,60 @@
From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
From: Levente Polyak <anthraxx@archlinux.org>
Date: Sat, 18 Jul 2015 17:58:23 +0200
Subject: [PATCH] ensure matching database and package version
While loading each package ensure that the internal version matches the
expected database version to avoid the possibility to circumvent the
version check.
This issue can be used by an attacker to trick the software into
installing an older version. The behavior can be exploited by a
man-in-the-middle attack through specially crafted database tarball
containing a higher version, yet actually delivering an older and
vulnerable version, which was previously shipped.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
---
lib/libalpm/sync.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
index 888ae15..e843b07 100644
--- a/lib/libalpm/sync.c
+++ b/lib/libalpm/sync.c
@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
EVENT(handle, &event);
for(i = handle->trans->add; i; i = i->next, current++) {
+ int error = 0;
alpm_pkg_t *spkg = i->data;
char *filepath;
int percent = (int)(((double)current_bytes / total_bytes) * 100);
@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
spkg->name);
alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
if(!pkgfile) {
+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
+ error = 1;
+ } else {
+ if(strcmp(spkg->name, pkgfile->name) != 0) {
+ _alpm_log(handle, ALPM_LOG_DEBUG,
+ "internal package name mismatch, expected: '%s', actual: '%s'\n",
+ spkg->name, pkgfile->name);
+ error = 1;
+ }
+ if(strcmp(spkg->version, pkgfile->version) != 0) {
+ _alpm_log(handle, ALPM_LOG_DEBUG,
+ "internal package version mismatch, expected: '%s', actual: '%s'\n",
+ spkg->version, pkgfile->version);
+ error = 1;
+ }
+ }
+ if(error != 0) {
errors++;
*data = alpm_list_add(*data, strdup(spkg->filename));
free(filepath);
--
2.4.6