From 2fe36a51b419123ee94e7dc2128ea359f19699a9 Mon Sep 17 00:00:00 2001
From: Baptiste Daroussin <bapt@FreeBSD.org>
Date: Fri, 13 Oct 2023 22:39:09 +0200
Subject: [PATCH] audit: fix a race in the file timestamp

Before that the code was setting the timestamp of the file on the
http server to the compressed file but never to the uncompressed one
but to decide if a new version should be fetched pkg gets the mtime
from the uncompressed file.

Reported by:	dvl
---
 libpkg/pkg_audit.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libpkg/pkg_audit.c b/libpkg/pkg_audit.c
index 18f39dc66..27ea914e3 100644
--- a/libpkg/pkg_audit.c
+++ b/libpkg/pkg_audit.c
@@ -201,6 +201,14 @@ pkg_audit_fetch(const char *src, const char *dest)
 	struct stat st;
 	struct pkg_audit_extract_cbdata cbdata;
 	int dfd = -1;
+	struct timeval tm[2] = {
+		{
+		.tv_usec = 0
+		},
+		{
+		.tv_usec = 0
+		}
+	};
 
 	if (src == NULL) {
 		src = pkg_object_string(pkg_config_get("VULNXML_SITE"));
@@ -254,9 +262,13 @@ pkg_audit_fetch(const char *src, const char *dest)
 	cbdata.fname = tmp;
 	cbdata.out = outfd;
 	cbdata.dest = dest;
+	fstat(fd, &st);
 
 	/* Call sandboxed */
 	retcode = pkg_emit_sandbox_call(pkg_audit_sandboxed_extract, fd, &cbdata);
+	tm[0].tv_sec = st.st_mtim.tv_sec;
+	tm[1].tv_sec = st.st_mtim.tv_sec;
+	futimes(outfd, tm);
 
 cleanup:
 	unlink(tmp);