summaryrefslogtreecommitdiff
path: root/libre/pacman/ensure-matching-database-and-package-version.patch
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2016-02-01 10:45:44 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2016-02-01 10:48:06 -0300
commit544e35544baf4c74d7dc257de257f9a774a95ab3 (patch)
treeed59d116002480d1dc97a2f1de59a05c93eec77d /libre/pacman/ensure-matching-database-and-package-version.patch
parent70605bcebdfef688682627713ed24f911c4881c3 (diff)
downloadabslibre-544e35544baf4c74d7dc257de257f9a774a95ab3.tar.gz
abslibre-544e35544baf4c74d7dc257de257f9a774a95ab3.tar.bz2
abslibre-544e35544baf4c74d7dc257de257f9a774a95ab3.zip
pacman-5.0.0-1.parabola1: updating version
Diffstat (limited to 'libre/pacman/ensure-matching-database-and-package-version.patch')
-rw-r--r--libre/pacman/ensure-matching-database-and-package-version.patch60
1 files changed, 0 insertions, 60 deletions
diff --git a/libre/pacman/ensure-matching-database-and-package-version.patch b/libre/pacman/ensure-matching-database-and-package-version.patch
deleted file mode 100644
index 4d9170f8b..000000000
--- a/libre/pacman/ensure-matching-database-and-package-version.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
-From: Levente Polyak <anthraxx@archlinux.org>
-Date: Sat, 18 Jul 2015 17:58:23 +0200
-Subject: [PATCH] ensure matching database and package version
-
-While loading each package ensure that the internal version matches the
-expected database version to avoid the possibility to circumvent the
-version check.
-This issue can be used by an attacker to trick the software into
-installing an older version. The behavior can be exploited by a
-man-in-the-middle attack through specially crafted database tarball
-containing a higher version, yet actually delivering an older and
-vulnerable version, which was previously shipped.
-
-Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
-Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
-Signed-off-by: Allan McRae <allan@archlinux.org>
----
- lib/libalpm/sync.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
-index 888ae15..e843b07 100644
---- a/lib/libalpm/sync.c
-+++ b/lib/libalpm/sync.c
-@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
- EVENT(handle, &event);
-
- for(i = handle->trans->add; i; i = i->next, current++) {
-+ int error = 0;
- alpm_pkg_t *spkg = i->data;
- char *filepath;
- int percent = (int)(((double)current_bytes / total_bytes) * 100);
-@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
- spkg->name);
- alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
- if(!pkgfile) {
-+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
-+ error = 1;
-+ } else {
-+ if(strcmp(spkg->name, pkgfile->name) != 0) {
-+ _alpm_log(handle, ALPM_LOG_DEBUG,
-+ "internal package name mismatch, expected: '%s', actual: '%s'\n",
-+ spkg->name, pkgfile->name);
-+ error = 1;
-+ }
-+ if(strcmp(spkg->version, pkgfile->version) != 0) {
-+ _alpm_log(handle, ALPM_LOG_DEBUG,
-+ "internal package version mismatch, expected: '%s', actual: '%s'\n",
-+ spkg->version, pkgfile->version);
-+ error = 1;
-+ }
-+ }
-+ if(error != 0) {
- errors++;
- *data = alpm_list_add(*data, strdup(spkg->filename));
- free(filepath);
---
-2.4.6
-