From 4ad1cdaf1dc951638b4694309467942fd23ede7f Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Sun, 26 Jul 2015 12:56:03 -0300 Subject: pacman-4.2.1-2.parabola1: updating revision * add upstream patch for bad bug * drop mips64el support * add cronie to depends --- libre/pacman/PKGBUILD | 30 +++--- ...ure-matching-database-and-package-version.patch | 60 +++++++++++ libre/pacman/pacman.conf.mips64el | 113 --------------------- 3 files changed, 74 insertions(+), 129 deletions(-) create mode 100644 libre/pacman/ensure-matching-database-and-package-version.patch delete mode 100644 libre/pacman/pacman.conf.mips64el (limited to 'libre/pacman') diff --git a/libre/pacman/PKGBUILD b/libre/pacman/PKGBUILD index f5430b287..4fba5108f 100644 --- a/libre/pacman/PKGBUILD +++ b/libre/pacman/PKGBUILD @@ -1,5 +1,5 @@ # vim: set ts=2 sw=2 et: -# $Id: PKGBUILD 231682 2015-02-20 01:59:29Z allan $ +# $Id: PKGBUILD 242468 2015-07-24 01:55:08Z allan $ # Maintainer (Arch): Dan McGee # Maintainer (Arch): Dave Reisner # Maintainer: André Silva @@ -9,15 +9,15 @@ pkgname=pacman pkgver=4.2.1 -pkgrel=1.parabola1 +pkgrel=2.parabola1 pkgdesc="A library-based package manager with dependency support" -arch=('i686' 'x86_64' 'mips64el') +arch=('i686' 'x86_64') url="http://www.archlinux.org/pacman/" license=('GPL') groups=('base' 'base-devel') depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0' 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring' - 'parabola-keyring' 'ca-certificates-cacert') + 'parabola-keyring' 'ca-certificates-cacert' 'cronie') makedepends=('asciidoc') # roundup patch alters docs checkdepends=('python2' 'fakechroot') provides=("$pkgname-contrib") @@ -25,16 +25,17 @@ conflicts=("$pkgname-contrib" "$pkgname-parabola" 'cacert-dot-org') replaces=("$pkgname-contrib" "$pkgname-parabola" 'cacert-dot-org') backup=('etc/pacman.conf' 'etc/makepkg.conf') options=('strip' 'debug') -source=("ftp://ftp.archlinux.org/other/$pkgname/$pkgname-$pkgver.tar.gz"{,.sig} - "$pkgname.conf."{i686,x86_64,mips64el} - "makepkg.conf" - "refresh-$pkgname-keys" - "makepkg-pkgrel-4.patch") +source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig} + ensure-matching-database-and-package-version.patch + $pkgname.conf.{i686,x86_64} + makepkg.conf + refresh-$pkgname-keys + makepkg-pkgrel-4.patch) md5sums=('2a596fc8f723e99660c0869a74afcf47' 'SKIP' + 'e8f72afe6f417d11bd36ada042744fe4' '9c1454e48b2216b23f931e04d6dab1ee' '7279d086428df483fd60c33f7c88cf3e' - 'a12b1a4533c170aecc8b9b8561048248' 'ce525a9af50f1d9b824806d2e5a4f0c8' '093f0779ac55ae781ba028ad74b95f84' '0ee98dc38ff80ba127772f5104e18e46') @@ -42,7 +43,9 @@ validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae +Date: Sat, 18 Jul 2015 17:58:23 +0200 +Subject: [PATCH] ensure matching database and package version + +While loading each package ensure that the internal version matches the +expected database version to avoid the possibility to circumvent the +version check. +This issue can be used by an attacker to trick the software into +installing an older version. The behavior can be exploited by a +man-in-the-middle attack through specially crafted database tarball +containing a higher version, yet actually delivering an older and +vulnerable version, which was previously shipped. + +Signed-off-by: Levente Polyak +Signed-off-by: Remi Gacogne +Signed-off-by: Allan McRae +--- + lib/libalpm/sync.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c +index 888ae15..e843b07 100644 +--- a/lib/libalpm/sync.c ++++ b/lib/libalpm/sync.c +@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + EVENT(handle, &event); + + for(i = handle->trans->add; i; i = i->next, current++) { ++ int error = 0; + alpm_pkg_t *spkg = i->data; + char *filepath; + int percent = (int)(((double)current_bytes / total_bytes) * 100); +@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + spkg->name); + alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); + if(!pkgfile) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); ++ error = 1; ++ } else { ++ if(strcmp(spkg->name, pkgfile->name) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package name mismatch, expected: '%s', actual: '%s'\n", ++ spkg->name, pkgfile->name); ++ error = 1; ++ } ++ if(strcmp(spkg->version, pkgfile->version) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package version mismatch, expected: '%s', actual: '%s'\n", ++ spkg->version, pkgfile->version); ++ error = 1; ++ } ++ } ++ if(error != 0) { + errors++; + *data = alpm_list_add(*data, strdup(spkg->filename)); + free(filepath); +-- +2.4.6 + diff --git a/libre/pacman/pacman.conf.mips64el b/libre/pacman/pacman.conf.mips64el deleted file mode 100644 index 136924c96..000000000 --- a/libre/pacman/pacman.conf.mips64el +++ /dev/null @@ -1,113 +0,0 @@ -# -# /etc/pacman.conf -# -# See the pacman.conf(5) manpage for option and repository directives - -# -# GENERAL OPTIONS -# -[options] -# The following paths are commented out with their default values listed. -# If you wish to use different paths, uncomment and update the paths. -#RootDir = / -#DBPath = /var/lib/pacman/ -#CacheDir = /var/cache/pacman/pkg/ -#LogFile = /var/log/pacman.log -#GPGDir = /etc/pacman.d/gnupg/ -HoldPkg = pacman glibc -#XferCommand = /usr/bin/curl -C - -f %u > %o -#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u -#CleanMethod = KeepInstalled -#UseDelta = 0.7 -Architecture = mips64el - -# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup -#IgnorePkg = -#IgnoreGroup = - -#NoUpgrade = -#NoExtract = - -# Misc options -#UseSyslog -#Color -#TotalDownload -CheckSpace -#VerbosePkgLists - -# By default, pacman accepts packages signed by keys that its local keyring -# trusts (see pacman-key and its man page), as well as unsigned packages. -SigLevel = Required DatabaseOptional -LocalFileSigLevel = Optional -#RemoteFileSigLevel = Required - -# NOTE: You must run `pacman-key --init` before first using pacman; the local -# keyring can then be populated with the keys of all Arch/Parabola packagers -# with `pacman-key --populate archlinux` and `pacman-key --populate parabola`. - -# -# REPOSITORIES -# - can be defined here or included from another file -# - pacman will search repositories in the order defined here -# - local/custom mirrors can be added here or in separate files -# - repositories listed first will take precedence when packages -# have identical names, regardless of version number -# - URLs will have $repo replaced by the name of the current repo -# - URLs will have $arch replaced by the name of the architecture -# -# Repository entries are of the format: -# [repo-name] -# Server = ServerName -# Include = IncludePath -# -# The header [repo-name] is crucial - it must be present and -# uncommented to enable the repo. -# - -# The testing repositories are disabled by default. To enable, uncomment the -# repo name header and Include lines. You can add preferred servers immediately -# after the header, and they will be used before the default mirrors. - -# NOTE: Nonprism is a particular repository that aims to provide software built -# and patched without services under global data surveillance programs like PRISM, -# XKeyscore and Tempora. For more info see: https://wiki.parabola.nu/Nonprism - -#[nonprism] -#Include = /etc/pacman.d/mirrorlist - -#[nonprism-testing] -#Include = /etc/pacman.d/mirrorlist - -#[libre-testing] -#Include = /etc/pacman.d/mirrorlist - -[libre] -Include = /etc/pacman.d/mirrorlist - -#[testing] -#Include = /etc/pacman.d/mirrorlist - -[core] -Include = /etc/pacman.d/mirrorlist - -[extra] -Include = /etc/pacman.d/mirrorlist - -#[community-testing] -#Include = /etc/pacman.d/mirrorlist - -[community] -Include = /etc/pacman.d/mirrorlist - -# Parabola also supports community projects and personal repositories, to find -# them check out this wiki page: https://wiki.parabola.nu/Repositories - -# Parabola community repo -#[pcr] -#Include = /etc/pacman.d/mirrorlist - -# An example of a custom package repository. See the pacman manpage for -# tips on creating your own repositories. -#[custom] -#SigLevel = Optional TrustAll -#Server = file:///home/custompkgs -- cgit v1.2.3