FS#45687 - [pacman] does not check version of downloaded package.
Attached to Project:
Pacman
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Friday, 17 July 2015, 15:31 GMT
Last edited by Allan McRae (Allan) - Friday, 24 July 2015, 12:12 GMT
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Friday, 17 July 2015, 15:31 GMT
Last edited by Allan McRae (Allan) - Friday, 24 July 2015, 12:12 GMT
|
Details
Description:
pacman trusts version in database, and doesn't check it before installing package. Since, database is not signed[1], MitM can alter database many ways. Steps to reproduce: Database in /tmp is edited manually. [root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist Server = http://mirror.yandex.ru/archlinux/$repo/os/$arch [root@hopper tmp]# rm /var/lib/pacman/sync/*.db* [root@hopper tmp]# pacman -Syu :: Synchronizing package databases... core 121.6 KiB 1204K/s 00:00 [####################################################] 100% extra 1741.6 KiB 1964K/s 00:01 [####################################################] 100% community 2.7 MiB 2.13M/s 00:01 [####################################################] 100% :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (1) file-5.24-1 Total Installed Size: 3.85 MiB Net Upgrade Size: 0.00 MiB :: Proceed with installation? [Y/n] y (1/1) checking keys in keyring [####################################################] 100% (1/1) checking package integrity [####################################################] 100% (1/1) loading package files [####################################################] 100% (1/1) checking for file conflicts [####################################################] 100% (1/1) upgrading file [####################################################] 100% [root@hopper tmp]# pacman -Q file file 5.24-1 # good new file [root@hopper tmp]# vim /etc/pacman.d/mirrorlist [root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist Server = file:///tmp/$repo/os/$arch [root@hopper tmp]# pacman -Syu :: Synchronizing package databases... core 118.3 KiB 0.00B/s 00:00 [####################################################] 100% extra is up to date community is up to date :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (1) file-5.24-2 Total Installed Size: 3.85 MiB Net Upgrade Size: 0.00 MiB :: Proceed with installation? [Y/n] y (1/1) checking keys in keyring [####################################################] 100% (1/1) checking package integrity [####################################################] 100% (1/1) loading package files [####################################################] 100% (1/1) checking for file conflicts [####################################################] 100% (1/1) downgrading file [####################################################] 100% [root@hopper tmp]# pacman -Q file file 5.23-2 # previous version of file [root@hopper tmp]# gpg --verify /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz.sig /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz gpg: Signature made Thu Jun 18 01:18:45 2015 UTC using RSA key ID 387A1EEE |
This task depends upon
Closed by Allan McRae (Allan)
Friday, 24 July 2015, 12:12 GMT
Reason for closing: Fixed
Additional comments about closing: git commit deac9731884a
Friday, 24 July 2015, 12:12 GMT
Reason for closing: Fixed
Additional comments about closing: git commit deac9731884a
fixed in pacman-4.2.1-2