You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60 lines
2.2 KiB
60 lines
2.2 KiB
From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
|
|
From: Levente Polyak <anthraxx@archlinux.org>
|
|
Date: Sat, 18 Jul 2015 17:58:23 +0200
|
|
Subject: [PATCH] ensure matching database and package version
|
|
|
|
While loading each package ensure that the internal version matches the
|
|
expected database version to avoid the possibility to circumvent the
|
|
version check.
|
|
This issue can be used by an attacker to trick the software into
|
|
installing an older version. The behavior can be exploited by a
|
|
man-in-the-middle attack through specially crafted database tarball
|
|
containing a higher version, yet actually delivering an older and
|
|
vulnerable version, which was previously shipped.
|
|
|
|
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
|
|
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
---
|
|
lib/libalpm/sync.c | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
|
|
index 888ae15..e843b07 100644
|
|
--- a/lib/libalpm/sync.c
|
|
+++ b/lib/libalpm/sync.c
|
|
@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
|
|
EVENT(handle, &event);
|
|
|
|
for(i = handle->trans->add; i; i = i->next, current++) {
|
|
+ int error = 0;
|
|
alpm_pkg_t *spkg = i->data;
|
|
char *filepath;
|
|
int percent = (int)(((double)current_bytes / total_bytes) * 100);
|
|
@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
|
|
spkg->name);
|
|
alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
|
|
if(!pkgfile) {
|
|
+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
|
|
+ error = 1;
|
|
+ } else {
|
|
+ if(strcmp(spkg->name, pkgfile->name) != 0) {
|
|
+ _alpm_log(handle, ALPM_LOG_DEBUG,
|
|
+ "internal package name mismatch, expected: '%s', actual: '%s'\n",
|
|
+ spkg->name, pkgfile->name);
|
|
+ error = 1;
|
|
+ }
|
|
+ if(strcmp(spkg->version, pkgfile->version) != 0) {
|
|
+ _alpm_log(handle, ALPM_LOG_DEBUG,
|
|
+ "internal package version mismatch, expected: '%s', actual: '%s'\n",
|
|
+ spkg->version, pkgfile->version);
|
|
+ error = 1;
|
|
+ }
|
|
+ }
|
|
+ if(error != 0) {
|
|
errors++;
|
|
*data = alpm_list_add(*data, strdup(spkg->filename));
|
|
free(filepath);
|
|
--
|
|
2.4.6
|
|
|
|
|