oss-sec mailing list archives

Re: Pacman package manager - taking untrusted input

From: Santiago Torres <torresariass () gmail com>
Date: Tue, 21 Apr 2020 12:52:28 -0400

On Tue, Apr 21, 2020 at 04:27:08PM +0000, jellicent () protonmail com wrote:

The Pacman package manager, used by Arch Linux and its 10+ derivatives,
introduces a critical security flaw in its current state.
... The database, however, is not signed.

Or

The code supports database signatures, so the real issue is the distro
infrastructure.


Pick one please.

[1] https://wiki.archlinux.org/index.php/Pacman/Package_signing

Attachment: signature.asc
Description:

Current thread:

Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
- Re: Pacman package manager - taking untrusted input Santiago Torres (Apr 21)
- Re: Pacman package manager - taking untrusted input Amin Vakil (Apr 21)
  - Re: Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
  - Re: Pacman package manager - taking untrusted input Simon McVittie (Apr 21)
    - Re: Pacman package manager - taking untrusted input Jelle van der Waa (Apr 21)
    - Re: Pacman package manager - taking untrusted input Morten Linderud (Apr 21)
    - Re: Pacman package manager - taking untrusted input Eli Schwartz (Apr 22)