Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#45687 - [pacman] does not check version of downloaded package.
Attached to Project:
Pacman
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Friday, 17 July 2015, 15:31 GMT
Last edited by Allan McRae (Allan) - Friday, 24 July 2015, 12:12 GMT
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Friday, 17 July 2015, 15:31 GMT
Last edited by Allan McRae (Allan) - Friday, 24 July 2015, 12:12 GMT
|
DetailsDescription:
pacman trusts version in database, and doesn't check it before installing package. Since, database is not signed[1], MitM can alter database many ways. Steps to reproduce: Database in /tmp is edited manually. [root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist Server = http://mirror.yandex.ru/archlinux/$repo/os/$arch [root@hopper tmp]# rm /var/lib/pacman/sync/*.db* [root@hopper tmp]# pacman -Syu :: Synchronizing package databases... core 121.6 KiB 1204K/s 00:00 [####################################################] 100% extra 1741.6 KiB 1964K/s 00:01 [####################################################] 100% community 2.7 MiB 2.13M/s 00:01 [####################################################] 100% :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (1) file-5.24-1 Total Installed Size: 3.85 MiB Net Upgrade Size: 0.00 MiB :: Proceed with installation? [Y/n] y (1/1) checking keys in keyring [####################################################] 100% (1/1) checking package integrity [####################################################] 100% (1/1) loading package files [####################################################] 100% (1/1) checking for file conflicts [####################################################] 100% (1/1) upgrading file [####################################################] 100% [root@hopper tmp]# pacman -Q file file 5.24-1 # good new file [root@hopper tmp]# vim /etc/pacman.d/mirrorlist [root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist Server = file:///tmp/$repo/os/$arch [root@hopper tmp]# pacman -Syu :: Synchronizing package databases... core 118.3 KiB 0.00B/s 00:00 [####################################################] 100% extra is up to date community is up to date :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (1) file-5.24-2 Total Installed Size: 3.85 MiB Net Upgrade Size: 0.00 MiB :: Proceed with installation? [Y/n] y (1/1) checking keys in keyring [####################################################] 100% (1/1) checking package integrity [####################################################] 100% (1/1) loading package files [####################################################] 100% (1/1) checking for file conflicts [####################################################] 100% (1/1) downgrading file [####################################################] 100% [root@hopper tmp]# pacman -Q file file 5.23-2 # previous version of file [root@hopper tmp]# gpg --verify /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz.sig /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz gpg: Signature made Thu Jun 18 01:18:45 2015 UTC using RSA key ID 387A1EEE |
This task depends upon
Closed by Allan McRae (Allan)
Friday, 24 July 2015, 12:12 GMT
Reason for closing: Fixed
Additional comments about closing: git commit deac9731884a
Friday, 24 July 2015, 12:12 GMT
Reason for closing: Fixed
Additional comments about closing: git commit deac9731884a
fixed in pacman-4.2.1-2