Commit | Line | Data |
---|---|---|
3888e4cd FD |
1 | From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001 |
2 | From: Levente Polyak <anthraxx@archlinux.org> | |
3 | Date: Sat, 18 Jul 2015 17:58:23 +0200 | |
4 | Subject: [PATCH] ensure matching database and package version | |
5 | ||
6 | While loading each package ensure that the internal version matches the | |
7 | expected database version to avoid the possibility to circumvent the | |
8 | version check. | |
9 | This issue can be used by an attacker to trick the software into | |
10 | installing an older version. The behavior can be exploited by a | |
11 | man-in-the-middle attack through specially crafted database tarball | |
12 | containing a higher version, yet actually delivering an older and | |
13 | vulnerable version, which was previously shipped. | |
14 | ||
15 | Signed-off-by: Levente Polyak <anthraxx@archlinux.org> | |
16 | Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> | |
17 | Signed-off-by: Allan McRae <allan@archlinux.org> | |
18 | --- | |
19 | lib/libalpm/sync.c | 18 ++++++++++++++++++ | |
20 | 1 file changed, 18 insertions(+) | |
21 | ||
22 | diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c | |
23 | index 888ae15..e843b07 100644 | |
24 | --- a/lib/libalpm/sync.c | |
25 | +++ b/lib/libalpm/sync.c | |
26 | @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, | |
27 | EVENT(handle, &event); | |
28 | ||
29 | for(i = handle->trans->add; i; i = i->next, current++) { | |
30 | + int error = 0; | |
31 | alpm_pkg_t *spkg = i->data; | |
32 | char *filepath; | |
33 | int percent = (int)(((double)current_bytes / total_bytes) * 100); | |
34 | @@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, | |
35 | spkg->name); | |
36 | alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); | |
37 | if(!pkgfile) { | |
38 | + _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); | |
39 | + error = 1; | |
40 | + } else { | |
41 | + if(strcmp(spkg->name, pkgfile->name) != 0) { | |
42 | + _alpm_log(handle, ALPM_LOG_DEBUG, | |
43 | + "internal package name mismatch, expected: '%s', actual: '%s'\n", | |
44 | + spkg->name, pkgfile->name); | |
45 | + error = 1; | |
46 | + } | |
47 | + if(strcmp(spkg->version, pkgfile->version) != 0) { | |
48 | + _alpm_log(handle, ALPM_LOG_DEBUG, | |
49 | + "internal package version mismatch, expected: '%s', actual: '%s'\n", | |
50 | + spkg->version, pkgfile->version); | |
51 | + error = 1; | |
52 | + } | |
53 | + } | |
54 | + if(error != 0) { | |
55 | errors++; | |
56 | *data = alpm_list_add(*data, strdup(spkg->filename)); | |
57 | free(filepath); | |
58 | -- | |
59 | 2.4.6 | |
60 |