oss-sec mailing list archives
Re: Pacman package manager - taking untrusted input
From: "jellicent () protonmail com" <jellicent () protonmail com>
Date: Tue, 21 Apr 2020 17:41:42 +0000
On Tuesday, April 21, 2020 5:21 PM, Amin Vakil <info () aminvakil com> wrote:
Although this is something that can be fixed, it's not a critical security issue at all, in all scenarios that has been written if database is compromised, the best (worst) thing that malicious actor can do is stopping user from installing packages, because he can't create a verified gpg signed package which is mandatory for pacman to allow installation of the package.
This is incorrect. An attacker need only find a bug in how Pacman does parsing/reading of the database file to potentially get code execution on the box as root. See Pacman's CVE history for at least one example of this. The problem happens before any package signatures come into play.
Current thread:
- Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
- Re: Pacman package manager - taking untrusted input Santiago Torres (Apr 21)
- Re: Pacman package manager - taking untrusted input Amin Vakil (Apr 21)
- Re: Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
- Re: Pacman package manager - taking untrusted input Simon McVittie (Apr 21)
- Re: Pacman package manager - taking untrusted input Jelle van der Waa (Apr 21)
- Re: Pacman package manager - taking untrusted input Morten Linderud (Apr 21)
- Re: Pacman package manager - taking untrusted input Eli Schwartz (Apr 22)