diff options
author | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2016-02-01 10:45:44 -0300 |
---|---|---|
committer | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2016-02-01 10:48:06 -0300 |
commit | 544e35544baf4c74d7dc257de257f9a774a95ab3 (patch) | |
tree | ed59d116002480d1dc97a2f1de59a05c93eec77d /libre/pacman/ensure-matching-database-and-package-version.patch | |
parent | 70605bcebdfef688682627713ed24f911c4881c3 (diff) | |
download | abslibre-544e35544baf4c74d7dc257de257f9a774a95ab3.tar.gz abslibre-544e35544baf4c74d7dc257de257f9a774a95ab3.tar.bz2 abslibre-544e35544baf4c74d7dc257de257f9a774a95ab3.zip |
pacman-5.0.0-1.parabola1: updating version
Diffstat (limited to 'libre/pacman/ensure-matching-database-and-package-version.patch')
-rw-r--r-- | libre/pacman/ensure-matching-database-and-package-version.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/libre/pacman/ensure-matching-database-and-package-version.patch b/libre/pacman/ensure-matching-database-and-package-version.patch deleted file mode 100644 index 4d9170f8b..000000000 --- a/libre/pacman/ensure-matching-database-and-package-version.patch +++ /dev/null @@ -1,60 +0,0 @@ -From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001 -From: Levente Polyak <anthraxx@archlinux.org> -Date: Sat, 18 Jul 2015 17:58:23 +0200 -Subject: [PATCH] ensure matching database and package version - -While loading each package ensure that the internal version matches the -expected database version to avoid the possibility to circumvent the -version check. -This issue can be used by an attacker to trick the software into -installing an older version. The behavior can be exploited by a -man-in-the-middle attack through specially crafted database tarball -containing a higher version, yet actually delivering an older and -vulnerable version, which was previously shipped. - -Signed-off-by: Levente Polyak <anthraxx@archlinux.org> -Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> -Signed-off-by: Allan McRae <allan@archlinux.org> ---- - lib/libalpm/sync.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c -index 888ae15..e843b07 100644 ---- a/lib/libalpm/sync.c -+++ b/lib/libalpm/sync.c -@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, - EVENT(handle, &event); - - for(i = handle->trans->add; i; i = i->next, current++) { -+ int error = 0; - alpm_pkg_t *spkg = i->data; - char *filepath; - int percent = (int)(((double)current_bytes / total_bytes) * 100); -@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, - spkg->name); - alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); - if(!pkgfile) { -+ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); -+ error = 1; -+ } else { -+ if(strcmp(spkg->name, pkgfile->name) != 0) { -+ _alpm_log(handle, ALPM_LOG_DEBUG, -+ "internal package name mismatch, expected: '%s', actual: '%s'\n", -+ spkg->name, pkgfile->name); -+ error = 1; -+ } -+ if(strcmp(spkg->version, pkgfile->version) != 0) { -+ _alpm_log(handle, ALPM_LOG_DEBUG, -+ "internal package version mismatch, expected: '%s', actual: '%s'\n", -+ spkg->version, pkgfile->version); -+ error = 1; -+ } -+ } -+ if(error != 0) { - errors++; - *data = alpm_list_add(*data, strdup(spkg->filename)); - free(filepath); --- -2.4.6 - |