Browse Source

Merge pull request #116 from franciscod/pacman

pacman: add to disabled-packages
android-5
Fredrik Fornwall 9 years ago
parent
commit
24e316d045
  1. 70
      disabled-packages/pacman/build.sh
  2. 60
      disabled-packages/pacman/ensure-matching-database-and-package-version.patch
  3. 146
      disabled-packages/pacman/makepkg.conf
  4. 90
      disabled-packages/pacman/pacman.conf
  5. 12
      disabled-packages/pacman/pacman.patch

70
disabled-packages/pacman/build.sh

@ -0,0 +1,70 @@
# HEAVILY adapted from archlinux PKGBUILD
pkgname=pacman
pkgver=4.2.1
TERMUX_PKG_HOMEPAGE=https://www.archlinux.org/pacman/
TERMUX_PKG_DESCRIPTION="A library-based package manager with dependency support"
TERMUX_PKG_VERSION=$pkgver
#FIXME: asciidoc, fakechroot/fakeroot
TERMUX_PKG_DEPENDS="bash, glib, libarchive, curl, gpgme, python2, libandroid-glob, libandroid-support"
TERMUX_PKG_SRCURL="https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz"
TERMUX_PKG_BUILD_IN_SRC=yes
TERMUX_PKG_MAINTAINER="Francisco Demartino <demartino.francisco@gmail.com>"
TERMUX_PKG_EXTRA_CONFIGURE_ARGS="--prefix=$TERMUX_PREFIX --sysconfdir=$TERMUX_PREFIX/etc"
TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" --localstatedir=$TERMUX_PREFIX/var --enable-doc "
TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" --with-scriptlet-shell=/usr/bin/bash"
export LDFLAGS="$LDFLAGS -llog -landroid-glob"
termux_step_make () {
make
make -C contrib
# make -C "$pkgname-$pkgver" check
}
#package() {
termux_step_make_install () {
make install
make -C contrib install
# install Arch specific stuff
install -dm755 "$TERMUX_PREFIX/etc"
install -m644 "$TERMUX_PKG_BUILDER_DIR/pacman.conf" "$TERMUX_PREFIX/etc/pacman.conf"
case $TERMUX_ARCH in
i686)
mycarch="i686"
mychost="i686-pc-linux-gnu"
myflags="-march=i686"
;;
arm)
mycarch="arm"
mychost="arm-unknown-linux-gnu"
myflags="-march=arm"
;;
esac
# set things correctly in the default conf file
install -m644 "$TERMUX_PKG_BUILDER_DIR/makepkg.conf" "$TERMUX_PREFIX/etc"
sed -i "$TERMUX_PREFIX/etc/makepkg.conf" \
-e "s|@CARCH[@]|$mycarch|g" \
-e "s|@CHOST[@]|$mychost|g" \
-e "s|@CARCHFLAGS[@]|$myflags|g"
# FIXME bash_completion
# # put bash_completion in the right location
# install -dm755 "$TERMUX_PREFIX/share/bash-completion/completions"
# mv "$TERMUX_PREFIX/etc/bash_completion.d/pacman" "$TERMUX_PREFIX/share/bash-completion/completions"
# rmdir "$TERMUX_PREFIX/etc/bash_completion.d"
# for f in makepkg pacman-key; do
# ln -s pacman "$TERMUX_PREFIX/share/bash-completion/completions/$f"
# done
install -Dm644 contrib/PKGBUILD.vim "$TERMUX_PREFIX/share/vim/vimfiles/syntax/PKGBUILD.vim"
}

60
disabled-packages/pacman/ensure-matching-database-and-package-version.patch

@ -0,0 +1,60 @@
From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
From: Levente Polyak <anthraxx@archlinux.org>
Date: Sat, 18 Jul 2015 17:58:23 +0200
Subject: [PATCH] ensure matching database and package version
While loading each package ensure that the internal version matches the
expected database version to avoid the possibility to circumvent the
version check.
This issue can be used by an attacker to trick the software into
installing an older version. The behavior can be exploited by a
man-in-the-middle attack through specially crafted database tarball
containing a higher version, yet actually delivering an older and
vulnerable version, which was previously shipped.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
---
lib/libalpm/sync.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
index 888ae15..e843b07 100644
--- a/lib/libalpm/sync.c
+++ b/lib/libalpm/sync.c
@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
EVENT(handle, &event);
for(i = handle->trans->add; i; i = i->next, current++) {
+ int error = 0;
alpm_pkg_t *spkg = i->data;
char *filepath;
int percent = (int)(((double)current_bytes / total_bytes) * 100);
@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
spkg->name);
alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
if(!pkgfile) {
+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
+ error = 1;
+ } else {
+ if(strcmp(spkg->name, pkgfile->name) != 0) {
+ _alpm_log(handle, ALPM_LOG_DEBUG,
+ "internal package name mismatch, expected: '%s', actual: '%s'\n",
+ spkg->name, pkgfile->name);
+ error = 1;
+ }
+ if(strcmp(spkg->version, pkgfile->version) != 0) {
+ _alpm_log(handle, ALPM_LOG_DEBUG,
+ "internal package version mismatch, expected: '%s', actual: '%s'\n",
+ spkg->version, pkgfile->version);
+ error = 1;
+ }
+ }
+ if(error != 0) {
errors++;
*data = alpm_list_add(*data, strdup(spkg->filename));
free(filepath);
--
2.4.6

146
disabled-packages/pacman/makepkg.conf

@ -0,0 +1,146 @@
#
# /etc/makepkg.conf
#
#########################################################################
# SOURCE ACQUISITION
#########################################################################
#
#-- The download utilities that makepkg should use to acquire sources
# Format: 'protocol::agent'
DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
'rsync::/usr/bin/rsync --no-motd -z %u %o'
'scp::/usr/bin/scp -C %u %o')
# Other common tools:
# /usr/bin/snarf
# /usr/bin/lftpget -c
# /usr/bin/wget
#-- The package required by makepkg to download VCS sources
# Format: 'protocol::package'
VCSCLIENTS=('bzr::bzr'
'git::git'
'hg::mercurial'
'svn::subversion')
#########################################################################
# ARCHITECTURE, COMPILE FLAGS
#########################################################################
#
CARCH="@CARCH@"
CHOST="@CHOST@"
#-- Compiler and Linker Flags
# -march (or -mcpu) builds exclusively for an architecture
# -mtune optimizes for an architecture, but builds for whole processor family
CPPFLAGS="-D_FORTIFY_SOURCE=2"
CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong"
CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong"
LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
#-- Make Flags: change this for DistCC/SMP systems
#MAKEFLAGS="-j2"
#-- Debugging flags
DEBUG_CFLAGS="-g -fvar-tracking-assignments"
DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
#########################################################################
# BUILD ENVIRONMENT
#########################################################################
#
# Defaults: BUILDENV=(!distcc color !ccache check !sign)
# A negated environment option will do the opposite of the comments below.
#
#-- distcc: Use the Distributed C/C++/ObjC compiler
#-- color: Colorize output messages
#-- ccache: Use ccache to cache compilation
#-- check: Run the check() function if present in the PKGBUILD
#-- sign: Generate PGP signature file
#
BUILDENV=(!distcc color !ccache check !sign)
#
#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
#-- specify a space-delimited list of hosts running in the DistCC cluster.
#DISTCC_HOSTS=""
#
#-- Specify a directory for package building.
#BUILDDIR=/tmp/makepkg
#########################################################################
# GLOBAL PACKAGE OPTIONS
# These are default values for the options=() settings
#########################################################################
#
# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
# A negated option will do the opposite of the comments below.
#
#-- strip: Strip symbols from binaries/libraries
#-- docs: Save doc directories specified by DOC_DIRS
#-- libtool: Leave libtool (.la) files in packages
#-- staticlibs: Leave static library (.a) files in packages
#-- emptydirs: Leave empty directories in packages
#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip
#-- purge: Remove files specified by PURGE_TARGETS
#-- upx: Compress binary executable files using UPX
#-- debug: Add debugging flags as specified in DEBUG_* variables
#
OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
INTEGRITY_CHECK=(md5)
#-- Options to be used when stripping binaries. See `man strip' for details.
STRIP_BINARIES="--strip-all"
#-- Options to be used when stripping shared libraries. See `man strip' for details.
STRIP_SHARED="--strip-unneeded"
#-- Options to be used when stripping static libraries. See `man strip' for details.
STRIP_STATIC="--strip-debug"
#-- Manual (man and info) directories to compress (if zipman is specified)
MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
#-- Doc directories to remove (if !docs is specified)
DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
#-- Files to be removed from all packages (if purge is specified)
PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
#########################################################################
# PACKAGE OUTPUT
#########################################################################
#
# Default: put built package and cached source in build directory
#
#-- Destination: specify a fixed directory where all packages will be placed
#PKGDEST=/home/packages
#-- Source cache: specify a fixed directory where source files will be cached
#SRCDEST=/home/sources
#-- Source packages: specify a fixed directory where all src packages will be placed
#SRCPKGDEST=/home/srcpackages
#-- Log files: specify a fixed directory where all log files will be placed
#LOGDEST=/home/makepkglogs
#-- Packager: name/email of the person or organization building packages
#PACKAGER="John Doe <john@doe.com>"
#-- Specify a key to use for package signing
#GPGKEY=""
#########################################################################
# COMPRESSION DEFAULTS
#########################################################################
#
COMPRESSGZ=(gzip -c -f -n)
COMPRESSBZ2=(bzip2 -c -f)
COMPRESSXZ=(xz -c -z -)
COMPRESSLRZ=(lrzip -q)
COMPRESSLZO=(lzop -q)
COMPRESSZ=(compress -c -f)
#########################################################################
# EXTENSION DEFAULTS
#########################################################################
#
# WARNING: Do NOT modify these variables unless you know what you are
# doing.
#
PKGEXT='.pkg.tar.xz'
SRCEXT='.src.tar.gz'
# vim: set ft=sh ts=2 sw=2 et:

90
disabled-packages/pacman/pacman.conf

@ -0,0 +1,90 @@
#
# /etc/pacman.conf
#
# See the pacman.conf(5) manpage for option and repository directives
#
# GENERAL OPTIONS
#
[options]
# The following paths are commented out with their default values listed.
# If you wish to use different paths, uncomment and update the paths.
#RootDir = /
#DBPath = /var/lib/pacman/
#CacheDir = /var/cache/pacman/pkg/
#LogFile = /var/log/pacman.log
#GPGDir = /etc/pacman.d/gnupg/
HoldPkg = pacman glibc
#XferCommand = /usr/bin/curl -C - -f %u > %o
#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
#CleanMethod = KeepInstalled
#UseDelta = 0.7
Architecture = auto
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg =
#IgnoreGroup =
#NoUpgrade =
#NoExtract =
# Misc options
#UseSyslog
#Color
#TotalDownload
CheckSpace
#VerbosePkgLists
# By default, pacman accepts packages signed by keys that its local keyring
# trusts (see pacman-key and its man page), as well as unsigned packages.
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required
# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
#
# REPOSITORIES
# - can be defined here or included from another file
# - pacman will search repositories in the order defined here
# - local/custom mirrors can be added here or in separate files
# - repositories listed first will take precedence when packages
# have identical names, regardless of version number
# - URLs will have $repo replaced by the name of the current repo
# - URLs will have $arch replaced by the name of the architecture
#
# Repository entries are of the format:
# [repo-name]
# Server = ServerName
# Include = IncludePath
#
# The header [repo-name] is crucial - it must be present and
# uncommented to enable the repo.
#
# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.
#[testing]
#Include = /etc/pacman.d/mirrorlist
[core]
Include = /etc/pacman.d/mirrorlist
[extra]
Include = /etc/pacman.d/mirrorlist
#[community-testing]
#Include = /etc/pacman.d/mirrorlist
[community]
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs

12
disabled-packages/pacman/pacman.patch

@ -0,0 +1,12 @@
--- ./src/pacman/pacman.c 2015-12-23 19:50:37.093132801 -0300
+++ ./src/pacman/pacman.c 2015-12-23 23:30:17.986469980 -0300
@@ -1128,7 +1128,8 @@
} while(c != EOF);
free(line);
- if(!freopen(ctermid(NULL), "r", stdin)) {
+ //if(!freopen(ctermid(NULL), "r", stdin)) {
+ if(!freopen("/dev/tty", "r", stdin)) { // HACK termux doesn't have ctermid()
pm_printf(ALPM_LOG_ERROR, _("failed to reopen stdin for reading: (%s)\n"),
strerror(errno));
}
Loading…
Cancel
Save