summaryrefslogtreecommitdiff
path: root/libre/pacman
diff options
context:
space:
mode:
Diffstat (limited to 'libre/pacman')
-rw-r--r--libre/pacman/PKGBUILD30
-rw-r--r--libre/pacman/ensure-matching-database-and-package-version.patch60
-rw-r--r--libre/pacman/pacman.conf.mips64el113
3 files changed, 74 insertions, 129 deletions
diff --git a/libre/pacman/PKGBUILD b/libre/pacman/PKGBUILD
index f5430b287..4fba5108f 100644
--- a/libre/pacman/PKGBUILD
+++ b/libre/pacman/PKGBUILD
@@ -1,5 +1,5 @@
# vim: set ts=2 sw=2 et:
-# $Id: PKGBUILD 231682 2015-02-20 01:59:29Z allan $
+# $Id: PKGBUILD 242468 2015-07-24 01:55:08Z allan $
# Maintainer (Arch): Dan McGee <dan@archlinux.org>
# Maintainer (Arch): Dave Reisner <dreisner@archlinux.org>
# Maintainer: André Silva <emulatorman@parabola.nu>
@@ -9,15 +9,15 @@
pkgname=pacman
pkgver=4.2.1
-pkgrel=1.parabola1
+pkgrel=2.parabola1
pkgdesc="A library-based package manager with dependency support"
-arch=('i686' 'x86_64' 'mips64el')
+arch=('i686' 'x86_64')
url="http://www.archlinux.org/pacman/"
license=('GPL')
groups=('base' 'base-devel')
depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0'
'gpgme' 'pacman-mirrorlist' 'archlinux-keyring'
- 'parabola-keyring' 'ca-certificates-cacert')
+ 'parabola-keyring' 'ca-certificates-cacert' 'cronie')
makedepends=('asciidoc') # roundup patch alters docs
checkdepends=('python2' 'fakechroot')
provides=("$pkgname-contrib")
@@ -25,16 +25,17 @@ conflicts=("$pkgname-contrib" "$pkgname-parabola" 'cacert-dot-org')
replaces=("$pkgname-contrib" "$pkgname-parabola" 'cacert-dot-org')
backup=('etc/pacman.conf' 'etc/makepkg.conf')
options=('strip' 'debug')
-source=("ftp://ftp.archlinux.org/other/$pkgname/$pkgname-$pkgver.tar.gz"{,.sig}
- "$pkgname.conf."{i686,x86_64,mips64el}
- "makepkg.conf"
- "refresh-$pkgname-keys"
- "makepkg-pkgrel-4.patch")
+source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+ ensure-matching-database-and-package-version.patch
+ $pkgname.conf.{i686,x86_64}
+ makepkg.conf
+ refresh-$pkgname-keys
+ makepkg-pkgrel-4.patch)
md5sums=('2a596fc8f723e99660c0869a74afcf47'
'SKIP'
+ 'e8f72afe6f417d11bd36ada042744fe4'
'9c1454e48b2216b23f931e04d6dab1ee'
'7279d086428df483fd60c33f7c88cf3e'
- 'a12b1a4533c170aecc8b9b8561048248'
'ce525a9af50f1d9b824806d2e5a4f0c8'
'093f0779ac55ae781ba028ad74b95f84'
'0ee98dc38ff80ba127772f5104e18e46')
@@ -42,7 +43,9 @@ validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan@
prepare() {
cd "$pkgname-$pkgver"
-
+
+ patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+
# treat pkgrel more similarly to pkgver
patch -p1 -i "$srcdir/makepkg-pkgrel-4.patch"
}
@@ -83,11 +86,6 @@ package() {
mychost="x86_64-unknown-linux-gnu"
myflags="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
;;
- mips64el)
- mycarch="mips64el"
- mychost="mips64el-unknown-linux-gnu"
- myflags="-march=mips3 -mtune=loongson2f -mabi=n32 -mplt -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
- ;;
esac
myldflags="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"
diff --git a/libre/pacman/ensure-matching-database-and-package-version.patch b/libre/pacman/ensure-matching-database-and-package-version.patch
new file mode 100644
index 000000000..4d9170f8b
--- /dev/null
+++ b/libre/pacman/ensure-matching-database-and-package-version.patch
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx@archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be exploited by a
+man-in-the-middle attack through specially crafted database tarball
+containing a higher version, yet actually delivering an older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
+Signed-off-by: Allan McRae <allan@archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ EVENT(handle, &event);
+
+ for(i = handle->trans->add; i; i = i->next, current++) {
++ int error = 0;
+ alpm_pkg_t *spkg = i->data;
+ char *filepath;
+ int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ spkg->name);
+ alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ if(!pkgfile) {
++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++ error = 1;
++ } else {
++ if(strcmp(spkg->name, pkgfile->name) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package name mismatch, expected: '%s', actual: '%s'\n",
++ spkg->name, pkgfile->name);
++ error = 1;
++ }
++ if(strcmp(spkg->version, pkgfile->version) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package version mismatch, expected: '%s', actual: '%s'\n",
++ spkg->version, pkgfile->version);
++ error = 1;
++ }
++ }
++ if(error != 0) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(spkg->filename));
+ free(filepath);
+--
+2.4.6
+
diff --git a/libre/pacman/pacman.conf.mips64el b/libre/pacman/pacman.conf.mips64el
deleted file mode 100644
index 136924c96..000000000
--- a/libre/pacman/pacman.conf.mips64el
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# /etc/pacman.conf
-#
-# See the pacman.conf(5) manpage for option and repository directives
-
-#
-# GENERAL OPTIONS
-#
-[options]
-# The following paths are commented out with their default values listed.
-# If you wish to use different paths, uncomment and update the paths.
-#RootDir = /
-#DBPath = /var/lib/pacman/
-#CacheDir = /var/cache/pacman/pkg/
-#LogFile = /var/log/pacman.log
-#GPGDir = /etc/pacman.d/gnupg/
-HoldPkg = pacman glibc
-#XferCommand = /usr/bin/curl -C - -f %u > %o
-#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
-#CleanMethod = KeepInstalled
-#UseDelta = 0.7
-Architecture = mips64el
-
-# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
-#IgnorePkg =
-#IgnoreGroup =
-
-#NoUpgrade =
-#NoExtract =
-
-# Misc options
-#UseSyslog
-#Color
-#TotalDownload
-CheckSpace
-#VerbosePkgLists
-
-# By default, pacman accepts packages signed by keys that its local keyring
-# trusts (see pacman-key and its man page), as well as unsigned packages.
-SigLevel = Required DatabaseOptional
-LocalFileSigLevel = Optional
-#RemoteFileSigLevel = Required
-
-# NOTE: You must run `pacman-key --init` before first using pacman; the local
-# keyring can then be populated with the keys of all Arch/Parabola packagers
-# with `pacman-key --populate archlinux` and `pacman-key --populate parabola`.
-
-#
-# REPOSITORIES
-# - can be defined here or included from another file
-# - pacman will search repositories in the order defined here
-# - local/custom mirrors can be added here or in separate files
-# - repositories listed first will take precedence when packages
-# have identical names, regardless of version number
-# - URLs will have $repo replaced by the name of the current repo
-# - URLs will have $arch replaced by the name of the architecture
-#
-# Repository entries are of the format:
-# [repo-name]
-# Server = ServerName
-# Include = IncludePath
-#
-# The header [repo-name] is crucial - it must be present and
-# uncommented to enable the repo.
-#
-
-# The testing repositories are disabled by default. To enable, uncomment the
-# repo name header and Include lines. You can add preferred servers immediately
-# after the header, and they will be used before the default mirrors.
-
-# NOTE: Nonprism is a particular repository that aims to provide software built
-# and patched without services under global data surveillance programs like PRISM,
-# XKeyscore and Tempora. For more info see: https://wiki.parabola.nu/Nonprism
-
-#[nonprism]
-#Include = /etc/pacman.d/mirrorlist
-
-#[nonprism-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-#[libre-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[libre]
-Include = /etc/pacman.d/mirrorlist
-
-#[testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[core]
-Include = /etc/pacman.d/mirrorlist
-
-[extra]
-Include = /etc/pacman.d/mirrorlist
-
-#[community-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[community]
-Include = /etc/pacman.d/mirrorlist
-
-# Parabola also supports community projects and personal repositories, to find
-# them check out this wiki page: https://wiki.parabola.nu/Repositories
-
-# Parabola community repo
-#[pcr]
-#Include = /etc/pacman.d/mirrorlist
-
-# An example of a custom package repository. See the pacman manpage for
-# tips on creating your own repositories.
-#[custom]
-#SigLevel = Optional TrustAll
-#Server = file:///home/custompkgs