pacman: backport patch for broken `xfercommand` (arch MR#152)

2 files changed, 90 insertions, 2 deletions

diff --git a/libre/pacman/1001-arch-MR152.patch b/libre/pacman/1001-arch-MR152.patch
new file mode 100644
index 000000000..bccfc4b55
--- /dev/null
+++ b/libre/pacman/1001-arch-MR152.patch
@@ -0,0 +1,86 @@
+From 9d99e9c77573560c4f833e7bf4974ac7bb588244 Mon Sep 17 00:00:00 2001
+From: Demi Obenour <demi@invisiblethingslab.com>
+Date: Sun, 17 Mar 2024 16:05:55 +0000
+Subject: [PATCH 1/2] Fetch signature and database from the same URL
+
+Previously, the for loops on lines 1035 and 1037 would advance to the
+next element in the server list, even if downloading the URL succeeded.
+If there are no more servers in the list, `s` would be NULL, causing
+a NULL pointer dereference on line 1046.  If there were servers left
+in the list, the signature would be downloaded from a wrong URL.
+
+
+1. Fetching of database signatures is enabled.
+2. There is only one enabled remote repository URL, or fetching from
+   all but the last one fails and fetching from the last one succeeds.
+3. An XferCommand is used.
+
+Qubes OS Arch templates satisfy all of these conditions and trigger the bug.
+---
+ lib/libalpm/dload.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c
+index 106390a01..8f6b9e4ea 100644
+--- a/lib/libalpm/dload.c
++++ b/lib/libalpm/dload.c
+@@ -1032,13 +1032,18 @@ int _alpm_download(alpm_handle_t *handle,
+ 					}
+ 				}
+ 			} else {
+-				for(s = payload->cache_servers; s && ret == -1; s = s->next) {
++				for(s = payload->cache_servers; s; s = s->next) {
+ 					ret = payload_download_fetchcb(payload, s->data, localpath);
++					if (ret != -1)
++						goto download_signature;
+ 				}
+-				for(s = payload->servers; s && ret == -1; s = s->next) {
++				for(s = payload->servers; s; s = s->next) {
+ 					ret = payload_download_fetchcb(payload, s->data, localpath);
++					if (ret != -1)
++						goto download_signature;
+ 				}
+ 
++download_signature:
+ 				if (ret != -1 && payload->download_signature) {
+ 					/* Download signature if requested */
+ 					char *sig_fileurl;
+-- 
+GitLab
+
+
+From 43c9365cfe3bc95f0fb1227fd8a75fe420b2ab52 Mon Sep 17 00:00:00 2001
+From: Demi Obenour <demi@invisiblethingslab.com>
+Date: Mon, 18 Mar 2024 04:57:26 +0000
+Subject: [PATCH 2/2] Use braces around goto statements
+
+No functional change.
+---
+ lib/libalpm/dload.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c
+index 8f6b9e4ea..f2fa1a543 100644
+--- a/lib/libalpm/dload.c
++++ b/lib/libalpm/dload.c
+@@ -1034,13 +1034,15 @@ int _alpm_download(alpm_handle_t *handle,
+ 			} else {
+ 				for(s = payload->cache_servers; s; s = s->next) {
+ 					ret = payload_download_fetchcb(payload, s->data, localpath);
+-					if (ret != -1)
++					if (ret != -1) {
+ 						goto download_signature;
++					}
+ 				}
+ 				for(s = payload->servers; s; s = s->next) {
+ 					ret = payload_download_fetchcb(payload, s->data, localpath);
+-					if (ret != -1)
++					if (ret != -1) {
+ 						goto download_signature;
++					}
+ 				}
+ 
+ download_signature:
+-- 
+GitLab
+
diff --git a/libre/pacman/PKGBUILD b/libre/pacman/PKGBUILD
index 7405d8974..662737c80 100644
--- a/libre/pacman/PKGBUILD
+++ b/libre/pacman/PKGBUILD
@@ -33,7 +33,7 @@
 pkgname=pacman
 pkgver=6.1.0
 pkgrel=3
-pkgrel+=.parabola1
+pkgrel+=.parabola2
 pkgdesc="A library-based package manager with dependency support"
 arch=('x86_64')
 arch+=('armv7h' 'i686')
@@ -71,6 +71,7 @@ source=( ${source[*]/makepkg.conf/makepkg.conf.in}
 source+=(dummy.conf
          9001-makepkg-Treat-pkgrel-more-similarly-to-pkgver.patch
          9002-pacman-key-updatedb.patch)
+source+=(1001-arch-MR152.patch) # parabola BR #3625
 source_armv7h=(0001-Sychronize-filesystem.patch
                0002-Revert-close-stdin-before-running-install-scripts.patch
                0003-Revert-alpm_run_chroot-always-connect-parent2child-p.patch)
@@ -90,9 +91,10 @@ sha256sums+=('82a696bc3254b3fa2ab2666d239445e1a431b5e7d0152690f4265b82112cc86f'
              '8be3b33a28c74630b74d1997795424a1c0af82c26625a428ec139480fb1115a1'  # pacman.conf.i686
              '5be276a68f7ec1d0497e26afba205a9feb14308b6fddc6cae3b32a0b6e9f9bbf'  # pacman.conf.x86_64
              'd8d68a71904d3e8015bf4454e1f2ae083c7b70624c5bb4b04331ee450d4285eb') # makepkg.conf.in
-sha256sums+=('8fca32bf5ee85b67c93983d7e1c93734de5e715b3bb732f7e48b88da7844f94b'
+sha256sums+=('8fca32bf5ee85b67c93983d7e1c93734de5e715b3bb732f7e48b88da7844f94b'  # dummy.conf
              '9ccc7ef5bd27a68d8788f10c6e5b36495c5d9038d4eb160f9ea4dc9901b622d8'
              '39e4db3eed5dc522baffb7f853a7dbb7b417cc7a718599d768297adfbe99e263')
+sha256sums+=('19f9500e685ad1472b430b428c76549d5ae5da958e0c5e6e155cdd477a39e357')
 sha256sums_armv7h=('8d70fb5094f58aad98b601bbc42be354c2014b9fe734a1ee0b1e14bb041cc9cc'
                    '0e771370da68c855bfb4eaad4c2ae137883a474886a049b934dac2e775574cb9'
                    '2f586f72c34150330389854575a21be1d3ef3637c4f94bec2e948c2717a5aecb')