From 4ad1cdaf1dc951638b4694309467942fd23ede7f Mon Sep 17 00:00:00 2001
From: André Fabian Silva Delgado <emulatorman@parabola.nu>
Date: Sun, 26 Jul 2015 12:56:03 -0300
Subject: pacman-4.2.1-2.parabola1: updating revision

* add upstream patch for bad bug
* drop mips64el support
* add cronie to depends
---
 libre/pacman/PKGBUILD                              |  30 +++---
 ...ure-matching-database-and-package-version.patch |  60 +++++++++++
 libre/pacman/pacman.conf.mips64el                  | 113 ---------------------
 3 files changed, 74 insertions(+), 129 deletions(-)
 create mode 100644 libre/pacman/ensure-matching-database-and-package-version.patch
 delete mode 100644 libre/pacman/pacman.conf.mips64el

(limited to 'libre/pacman')

diff --git a/libre/pacman/PKGBUILD b/libre/pacman/PKGBUILD
index f5430b287..4fba5108f 100644
--- a/libre/pacman/PKGBUILD
+++ b/libre/pacman/PKGBUILD
@@ -1,5 +1,5 @@
 # vim: set ts=2 sw=2 et:
-# $Id: PKGBUILD 231682 2015-02-20 01:59:29Z allan $
+# $Id: PKGBUILD 242468 2015-07-24 01:55:08Z allan $
 # Maintainer (Arch): Dan McGee <dan@archlinux.org>
 # Maintainer (Arch): Dave Reisner <dreisner@archlinux.org>
 # Maintainer: André Silva <emulatorman@parabola.nu>
@@ -9,15 +9,15 @@
 
 pkgname=pacman
 pkgver=4.2.1
-pkgrel=1.parabola1
+pkgrel=2.parabola1
 pkgdesc="A library-based package manager with dependency support"
-arch=('i686' 'x86_64' 'mips64el')
+arch=('i686' 'x86_64')
 url="http://www.archlinux.org/pacman/"
 license=('GPL')
 groups=('base' 'base-devel')
 depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0'
          'gpgme' 'pacman-mirrorlist' 'archlinux-keyring'
-         'parabola-keyring' 'ca-certificates-cacert')
+         'parabola-keyring' 'ca-certificates-cacert' 'cronie')
 makedepends=('asciidoc')   # roundup patch alters docs
 checkdepends=('python2' 'fakechroot')
 provides=("$pkgname-contrib")
@@ -25,16 +25,17 @@ conflicts=("$pkgname-contrib" "$pkgname-parabola" 'cacert-dot-org')
 replaces=("$pkgname-contrib" "$pkgname-parabola" 'cacert-dot-org')
 backup=('etc/pacman.conf' 'etc/makepkg.conf')
 options=('strip' 'debug')
-source=("ftp://ftp.archlinux.org/other/$pkgname/$pkgname-$pkgver.tar.gz"{,.sig}
-        "$pkgname.conf."{i686,x86_64,mips64el}
-        "makepkg.conf"
-        "refresh-$pkgname-keys"
-        "makepkg-pkgrel-4.patch")
+source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+        ensure-matching-database-and-package-version.patch
+        $pkgname.conf.{i686,x86_64}
+        makepkg.conf
+        refresh-$pkgname-keys
+        makepkg-pkgrel-4.patch)
 md5sums=('2a596fc8f723e99660c0869a74afcf47'
          'SKIP'
+         'e8f72afe6f417d11bd36ada042744fe4'
          '9c1454e48b2216b23f931e04d6dab1ee'
          '7279d086428df483fd60c33f7c88cf3e'
-         'a12b1a4533c170aecc8b9b8561048248'
          'ce525a9af50f1d9b824806d2e5a4f0c8'
          '093f0779ac55ae781ba028ad74b95f84'
          '0ee98dc38ff80ba127772f5104e18e46')
@@ -42,7 +43,9 @@ validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD')  # Allan McRae <allan@
 
 prepare() {
   cd "$pkgname-$pkgver"
-  
+
+  patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+
   # treat pkgrel more similarly to pkgver
   patch -p1 -i "$srcdir/makepkg-pkgrel-4.patch"
 }
@@ -83,11 +86,6 @@ package() {
       mychost="x86_64-unknown-linux-gnu"
       myflags="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
       ;;
-    mips64el)
-      mycarch="mips64el"
-      mychost="mips64el-unknown-linux-gnu"
-      myflags="-march=mips3 -mtune=loongson2f -mabi=n32 -mplt -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
-      ;;
   esac
   myldflags="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"
 
diff --git a/libre/pacman/ensure-matching-database-and-package-version.patch b/libre/pacman/ensure-matching-database-and-package-version.patch
new file mode 100644
index 000000000..4d9170f8b
--- /dev/null
+++ b/libre/pacman/ensure-matching-database-and-package-version.patch
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx@archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be  exploited by a
+man-in-the-middle attack through specially crafted  database tarball
+containing a higher version, yet actually delivering an  older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
+Signed-off-by: Allan McRae <allan@archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 	EVENT(handle, &event);
+ 
+ 	for(i = handle->trans->add; i; i = i->next, current++) {
++		int error = 0;
+ 		alpm_pkg_t *spkg = i->data;
+ 		char *filepath;
+ 		int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 				spkg->name);
+ 		alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ 		if(!pkgfile) {
++			_alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++			error = 1;
++		} else {
++			if(strcmp(spkg->name, pkgfile->name) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package name mismatch, expected: '%s', actual: '%s'\n",
++						spkg->name, pkgfile->name);
++				error = 1;
++			}
++			if(strcmp(spkg->version, pkgfile->version) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package version mismatch, expected: '%s', actual: '%s'\n",
++						spkg->version, pkgfile->version);
++				error = 1;
++			}
++		}
++		if(error != 0) {
+ 			errors++;
+ 			*data = alpm_list_add(*data, strdup(spkg->filename));
+ 			free(filepath);
+-- 
+2.4.6
+
diff --git a/libre/pacman/pacman.conf.mips64el b/libre/pacman/pacman.conf.mips64el
deleted file mode 100644
index 136924c96..000000000
--- a/libre/pacman/pacman.conf.mips64el
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# /etc/pacman.conf
-#
-# See the pacman.conf(5) manpage for option and repository directives
-
-#
-# GENERAL OPTIONS
-#
-[options]
-# The following paths are commented out with their default values listed.
-# If you wish to use different paths, uncomment and update the paths.
-#RootDir     = /
-#DBPath      = /var/lib/pacman/
-#CacheDir    = /var/cache/pacman/pkg/
-#LogFile     = /var/log/pacman.log
-#GPGDir      = /etc/pacman.d/gnupg/
-HoldPkg     = pacman glibc
-#XferCommand = /usr/bin/curl -C - -f %u > %o
-#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
-#CleanMethod = KeepInstalled
-#UseDelta    = 0.7
-Architecture = mips64el
-
-# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
-#IgnorePkg   =
-#IgnoreGroup =
-
-#NoUpgrade   =
-#NoExtract   =
-
-# Misc options
-#UseSyslog
-#Color
-#TotalDownload
-CheckSpace
-#VerbosePkgLists
-
-# By default, pacman accepts packages signed by keys that its local keyring
-# trusts (see pacman-key and its man page), as well as unsigned packages.
-SigLevel    = Required DatabaseOptional
-LocalFileSigLevel = Optional
-#RemoteFileSigLevel = Required
-
-# NOTE: You must run `pacman-key --init` before first using pacman; the local
-# keyring can then be populated with the keys of all Arch/Parabola packagers
-# with `pacman-key --populate archlinux` and `pacman-key --populate parabola`.
-
-#
-# REPOSITORIES
-#   - can be defined here or included from another file
-#   - pacman will search repositories in the order defined here
-#   - local/custom mirrors can be added here or in separate files
-#   - repositories listed first will take precedence when packages
-#     have identical names, regardless of version number
-#   - URLs will have $repo replaced by the name of the current repo
-#   - URLs will have $arch replaced by the name of the architecture
-#
-# Repository entries are of the format:
-#       [repo-name]
-#       Server = ServerName
-#       Include = IncludePath
-#
-# The header [repo-name] is crucial - it must be present and
-# uncommented to enable the repo.
-#
-
-# The testing repositories are disabled by default. To enable, uncomment the
-# repo name header and Include lines. You can add preferred servers immediately
-# after the header, and they will be used before the default mirrors.
-
-# NOTE: Nonprism is a particular repository that aims to provide software built
-# and patched without services under global data surveillance programs like PRISM,
-# XKeyscore and Tempora. For more info see: https://wiki.parabola.nu/Nonprism
-
-#[nonprism]
-#Include = /etc/pacman.d/mirrorlist
-
-#[nonprism-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-#[libre-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[libre]
-Include = /etc/pacman.d/mirrorlist
-
-#[testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[core]
-Include = /etc/pacman.d/mirrorlist
-
-[extra]
-Include = /etc/pacman.d/mirrorlist
-
-#[community-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[community]
-Include = /etc/pacman.d/mirrorlist
-
-# Parabola also supports community projects and personal repositories, to find
-# them check out this wiki page: https://wiki.parabola.nu/Repositories
-
-# Parabola community repo
-#[pcr]
-#Include = /etc/pacman.d/mirrorlist
-
-# An example of a custom package repository.  See the pacman manpage for
-# tips on creating your own repositories.
-#[custom]
-#SigLevel = Optional TrustAll
-#Server = file:///home/custompkgs
-- 
cgit v1.2.3