[arch-security] [ASA-201507-23] pacman: silent downgrade

Levente Polyak anthraxx at archlinux.org
Wed Jul 29 01:52:25 UTC 2015


Arch Linux Security Advisory ASA-201507-23
==========================================

Severity: High
Date    : 2015-07-29
CVE-ID  : None
Package : pacman
Type    : silent downgrade
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package pacman before version 4.2.1-2 is vulnerable to silent
downgrade via a man-in-the-middle attack.

Resolution
==========

Upgrade to 4.2.1-2.

# pacman -Syu "pacman>=4.2.1-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

A flaw has been discovered in pacman that is leading to possible silent
package downgrade when exploited. While loading each package it was not
ensured that the internal version matches the expected database version,
leading to the possibility to circumvent the version check. This issue
can be used by an attacker to trick the software into installing an
older version. This behavior can be exploited by a man-in-the-middle
attack through specially crafted database tarball containing a higher
version, yet actually delivering an older and vulnerable version, which
was previously shipped.

Impact
======

A remote attacker able to perform a man-in-the-middle attack is able to
make use of a specially crafted database tarball to silently install an
older and vulnerable version of a previously shipped package.

References
==========

https://lists.archlinux.org/pipermail/pacman-dev/2015-July/020238.html
https://bugs.archlinux.org/task/45687

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150729/5864cfb6/attachment.asc>


More information about the arch-security mailing list