Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5b8fe86a-56e8-715a-1f0d-a4961e516fc2@aminvakil.com>
Date: Tue, 21 Apr 2020 21:51:56 +0430
From: Amin Vakil <info@...nvakil.com>
To: oss-security@...ts.openwall.com
Subject: Re: Pacman package manager - taking untrusted input

Although this is something that can be fixed, it's not a critical
security issue at all, in all scenarios that has been written if
database is compromised, the best (worst) thing that malicious actor can
do is stopping user from installing packages, because he can't create a
verified gpg signed package which is mandatory for pacman to allow
installation of the package.

On 4/21/20 8:57 PM, jellicent@...tonmail.com wrote:
> The Pacman package manager, used by Arch Linux and its 10+ derivatives,
> introduces a critical security flaw in its current state.
> 
> When downloading a package, Pacman checks two files: the database file
> and the package itself. According to their wiki[1], the package files
> are PGP-signed by the developers. The database, however, is not signed.
> This means that Pacman, running as root, is both downloading and parsing
> untrusted input from the Internet. Should there be any relevant bug in
> Pacman, this would lead to root code execution on every Arch/Arch-based
> machine using the package repositories.
> 
> Some scenarios in which this could happen:
> 
> * One or more of the mirrors (not run by Arch devs) is compromised and
>    the malicious database file is picked up by a small set of users or
>    project committers
> 
> * The main fan-out server (rsync.archlinux.org) is compromised and the
>    malicious database file is propagated to all mirrors worldwide
> 
> * A new mirror, run by a malicious actor, is submitted for approval to
>    be included in the official mirror list
> 
> * A man-in-the-middle attack is launched on any number of plain HTTP
>    mirrors, replacing the database file with a malicious one in transit
> 
> The code supports database signatures, so the real issue is the distro
> infrastructure.
> 
> [1] https://wiki.archlinux.org/index.php/Pacman/Package_signing
> 



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.