oss-sec mailing list archives
Pacman package manager - taking untrusted input
From: "jellicent () protonmail com" <jellicent () protonmail com>
Date: Tue, 21 Apr 2020 16:27:08 +0000
The Pacman package manager, used by Arch Linux and its 10+ derivatives, introduces a critical security flaw in its current state. When downloading a package, Pacman checks two files: the database file and the package itself. According to their wiki[1], the package files are PGP-signed by the developers. The database, however, is not signed. This means that Pacman, running as root, is both downloading and parsing untrusted input from the Internet. Should there be any relevant bug in Pacman, this would lead to root code execution on every Arch/Arch-based machine using the package repositories. Some scenarios in which this could happen: * One or more of the mirrors (not run by Arch devs) is compromised and the malicious database file is picked up by a small set of users or project committers * The main fan-out server (rsync.archlinux.org) is compromised and the malicious database file is propagated to all mirrors worldwide * A new mirror, run by a malicious actor, is submitted for approval to be included in the official mirror list * A man-in-the-middle attack is launched on any number of plain HTTP mirrors, replacing the database file with a malicious one in transit The code supports database signatures, so the real issue is the distro infrastructure. [1] https://wiki.archlinux.org/index.php/Pacman/Package_signing
Current thread:
- Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
- Re: Pacman package manager - taking untrusted input Santiago Torres (Apr 21)
- Re: Pacman package manager - taking untrusted input Amin Vakil (Apr 21)
- Re: Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
- Re: Pacman package manager - taking untrusted input Simon McVittie (Apr 21)
- Re: Pacman package manager - taking untrusted input Jelle van der Waa (Apr 21)
- Re: Pacman package manager - taking untrusted input Morten Linderud (Apr 21)
- Re: Pacman package manager - taking untrusted input Eli Schwartz (Apr 22)