Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • P Pacman
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Filipe Laíns
  • Pacman
  • Repository
  • pacman
  • lib
  • libalpm
  • sync.c
Find file BlameHistoryPermalink
  • Levente Polyak's avatar
    ensure matching database and package version · deac9731
    Levente Polyak authored Jul 18, 2015 and Allan McRae's avatar Allan McRae committed Jul 20, 2015
    
    
    While loading each package ensure that the internal version matches the
    expected database version to avoid the possibility to circumvent the
    version check.
    This issue can be used by an attacker to trick the software into
    installing an older version. The behavior can be  exploited by a
    man-in-the-middle attack through specially crafted  database tarball
    containing a higher version, yet actually delivering an  older and
    vulnerable version, which was previously shipped.
    
    Signed-off-by: Levente Polyak's avatarLevente Polyak <anthraxx@archlinux.org>
    Signed-off-by: default avatarRemi Gacogne <rgacogne@archlinux.org>
    Signed-off-by: default avatarAllan McRae <allan@archlinux.org>
    deac9731