1 files changed, 60 insertions, 0 deletions

diff --git a/libre/pacman/ensure-matching-database-and-package-version.patch b/libre/pacman/ensure-matching-database-and-package-version.patch
new file mode 100644
index 000000000..4d9170f8b
--- /dev/null
+++ b/libre/pacman/ensure-matching-database-and-package-version.patch
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx@archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be  exploited by a
+man-in-the-middle attack through specially crafted  database tarball
+containing a higher version, yet actually delivering an  older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
+Signed-off-by: Allan McRae <allan@archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 	EVENT(handle, &event);
+ 
+ 	for(i = handle->trans->add; i; i = i->next, current++) {
++		int error = 0;
+ 		alpm_pkg_t *spkg = i->data;
+ 		char *filepath;
+ 		int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 				spkg->name);
+ 		alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ 		if(!pkgfile) {
++			_alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++			error = 1;
++		} else {
++			if(strcmp(spkg->name, pkgfile->name) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package name mismatch, expected: '%s', actual: '%s'\n",
++						spkg->name, pkgfile->name);
++				error = 1;
++			}
++			if(strcmp(spkg->version, pkgfile->version) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package version mismatch, expected: '%s', actual: '%s'\n",
++						spkg->version, pkgfile->version);
++				error = 1;
++			}
++		}
++		if(error != 0) {
+ 			errors++;
+ 			*data = alpm_list_add(*data, strdup(spkg->filename));
+ 			free(filepath);
+-- 
+2.4.6
+