oss-sec mailing list archives

Re: Pacman package manager - taking untrusted input

From: "jellicent () protonmail com" <jellicent () protonmail com>
Date: Tue, 21 Apr 2020 17:41:42 +0000

On Tuesday, April 21, 2020 5:21 PM, Amin Vakil <info () aminvakil com> wrote:

Although this is something that can be fixed, it's not a critical
security issue at all, in all scenarios that has been written if
database is compromised, the best (worst) thing that malicious actor can
do is stopping user from installing packages, because he can't create a
verified gpg signed package which is mandatory for pacman to allow
installation of the package.


This is incorrect. An attacker need only find a bug in how Pacman does
parsing/reading of the database file to potentially get code execution
on the box as root. See Pacman's CVE history for at least one example
of this. The problem happens before any package signatures come into
play.

Current thread:

Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
- Re: Pacman package manager - taking untrusted input Santiago Torres (Apr 21)
- Re: Pacman package manager - taking untrusted input Amin Vakil (Apr 21)
  - Re: Pacman package manager - taking untrusted input jellicent () protonmail com (Apr 21)
  - Re: Pacman package manager - taking untrusted input Simon McVittie (Apr 21)
    - Re: Pacman package manager - taking untrusted input Jelle van der Waa (Apr 21)
    - Re: Pacman package manager - taking untrusted input Morten Linderud (Apr 21)
    - Re: Pacman package manager - taking untrusted input Eli Schwartz (Apr 22)