| 1 | From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001 |
| 2 | From: Levente Polyak <anthraxx@archlinux.org> |
| 3 | Date: Sat, 18 Jul 2015 17:58:23 +0200 |
| 4 | Subject: [PATCH] ensure matching database and package version |
| 5 | |
| 6 | While loading each package ensure that the internal version matches the |
| 7 | expected database version to avoid the possibility to circumvent the |
| 8 | version check. |
| 9 | This issue can be used by an attacker to trick the software into |
| 10 | installing an older version. The behavior can be exploited by a |
| 11 | man-in-the-middle attack through specially crafted database tarball |
| 12 | containing a higher version, yet actually delivering an older and |
| 13 | vulnerable version, which was previously shipped. |
| 14 | |
| 15 | Signed-off-by: Levente Polyak <anthraxx@archlinux.org> |
| 16 | Signed-off-by: Remi Gacogne <rgacogne@archlinux.org> |
| 17 | Signed-off-by: Allan McRae <allan@archlinux.org> |
| 18 | --- |
| 19 | lib/libalpm/sync.c | 18 ++++++++++++++++++ |
| 20 | 1 file changed, 18 insertions(+) |
| 21 | |
| 22 | diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c |
| 23 | index 888ae15..e843b07 100644 |
| 24 | --- a/lib/libalpm/sync.c |
| 25 | +++ b/lib/libalpm/sync.c |
| 26 | @@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, |
| 27 | EVENT(handle, &event); |
| 28 | |
| 29 | for(i = handle->trans->add; i; i = i->next, current++) { |
| 30 | + int error = 0; |
| 31 | alpm_pkg_t *spkg = i->data; |
| 32 | char *filepath; |
| 33 | int percent = (int)(((double)current_bytes / total_bytes) * 100); |
| 34 | @@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, |
| 35 | spkg->name); |
| 36 | alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); |
| 37 | if(!pkgfile) { |
| 38 | + _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); |
| 39 | + error = 1; |
| 40 | + } else { |
| 41 | + if(strcmp(spkg->name, pkgfile->name) != 0) { |
| 42 | + _alpm_log(handle, ALPM_LOG_DEBUG, |
| 43 | + "internal package name mismatch, expected: '%s', actual: '%s'\n", |
| 44 | + spkg->name, pkgfile->name); |
| 45 | + error = 1; |
| 46 | + } |
| 47 | + if(strcmp(spkg->version, pkgfile->version) != 0) { |
| 48 | + _alpm_log(handle, ALPM_LOG_DEBUG, |
| 49 | + "internal package version mismatch, expected: '%s', actual: '%s'\n", |
| 50 | + spkg->version, pkgfile->version); |
| 51 | + error = 1; |
| 52 | + } |
| 53 | + } |
| 54 | + if(error != 0) { |
| 55 | errors++; |
| 56 | *data = alpm_list_add(*data, strdup(spkg->filename)); |
| 57 | free(filepath); |
| 58 | -- |
| 59 | 2.4.6 |
| 60 | |