summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
authorEli Schwartz <eschwartz@archlinux.org>2017-09-13 05:57:32 +0200
committerAllan McRae <allan@archlinux.org>2017-09-13 06:20:35 +0200
commit39319c1860d200a9b4a3cc2c6975e3cece502f2d (patch)
treecf683fb6978a2921aab35b6f663d48a7775009a6 /scripts
parent64b7edd2fed122e63abd42dbe392a6f2896a0c16 (diff)
downloadpacman-39319c1860d200a9b4a3cc2c6975e3cece502f2d.tar.gz
pacman-39319c1860d200a9b4a3cc2c6975e3cece502f2d.tar.xz
libmakepkg: check for invalid tags in git
As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html git doesn't check that the tag name matches what an annotated tag object *thinks* it should be called. This is a bit of a theoretical attack and some would argue that we should always use commits since upstream can legitimately change a tag, but nevertheless this can result in a downgrade attack if the git download transport was manipulated or the upstream repository hacked. So, check the tag blob to make sure the tag actually matches the name we used for `git checkout`. This really should be fixed in git itself, rather than forcing all downstream users of git verify-tag to implement their own checks, but the git developers disagree, see the discussion surrounding https://public-inbox.org/git/xmqqk2hzldx8.fsf@gitster.mtv.corp.google.com/ Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts')
-rw-r--r--scripts/libmakepkg/source/git.sh.in11
1 files changed, 10 insertions, 1 deletions
diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in
index 6d7e0a67..252cd4da 100644
--- a/scripts/libmakepkg/source/git.sh.in
+++ b/scripts/libmakepkg/source/git.sh.in
@@ -65,7 +65,7 @@ download_git() {
}
extract_git() {
- local netfile=$1
+ local netfile=$1 tagname
local fragment=$(get_uri_fragment "$netfile")
local repo=$(get_filename "$netfile")
@@ -110,6 +110,15 @@ extract_git() {
esac
fi
+ if [[ ${fragment%%=*} = tag ]]; then
+ tagname="$(git tag -l --format='%(tag)' "$ref")"
+ if [[ -n $tagname && $tagname != $ref ]]; then
+ error "$(gettext "Failure while checking out version %s, the git tag has been forged")" "$ref"
+ plain "$(gettext "Aborting...")"
+ exit 1
+ fi
+ fi
+
if [[ $ref != "origin/HEAD" ]] || (( updating )) ; then
if ! git checkout --force --no-track -B makepkg $ref; then
error "$(gettext "Failure while creating working copy of %s %s repo")" "${repo}" "git"