[pacman-dev] Security vuln. in makepkg?

OS Hazard oshazard at gmail.com
Fri Sep 4 23:22:13 UTC 2015 

Greetings,

I've come across unexpected behavior in makepkg. One of several possible
outcomes of this quirk is the ability to create files outside of the build
environment. They are not included in the package, so the package manager
is unaware of them. Moreover only the build process is affected,
installation not a factor. In this manner, these untracked files can
propogate to directories with write access by the user. It's unclear if
this is a limitation of fakeroot or makepkg but I will continue to
investigate.

Here is a simple demonstration of this exploit.

==========
Makefile
==========
install:
@wall creating ${HOME}/.bashrc-evil
@touch ${HOME}/.bashrc-evil

==========
PKGBUILD
===========
pkgname=hello-world
pkgver=0.1
pkgrel=1
pkgdesc="Friendly package"
arch=('any')
source=('Makefile')
md5sums=(SKIP)

build() {
  cd "$srcdir"
  make
}

package() {
  cd "$srcdir"
  make DESTDIR="${pkgdir}" install
}

================
$ makepkg
==> Making package: hello-world 0.1-1 (Fri Sep  4 15:08:04 GMT 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found Makefile
==> Validating source files with md5sums...
    Makefile ... Skipped
==> Extracting sources...
==> Removing existing $pkgdir/ directory...
==> Starting build()...


Broadcast message from hazard at archlinux (pts/4) (Fri Sep  4 15:08:04 2015):



creating /home/hazard/.bashrc-evil


==> Entering fakeroot environment...
==> Starting package()...
ERROR: ld.so: object 'libfakeroot.so' from LD_PRELOAD cannot be preloaded
(cannot open shared object file): ignored.


Broadcast message from hazard at archlinux (pts/4) (Fri Sep  4 15:08:05 2015):



creating /home/hazard/.bashrc-evil


==> Tidying install...
  -> Purging unwanted files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package "hello-world"...
  -> Generating .PKGINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: hello-world 0.1-1 (Fri Sep  4 15:08:05 GMT 2015)

$ tar -tf hello-world-0.1-1-any.pkg.tar.xz
.PKGINFO
.MTREE

$ ls ~/.bashrc-evil
/home/hazard/.bashrc-evil

$ pacman -Qo ~/.bashrc-evil
error: No package owns /home/hazard/.bashrc-evil

==================

It should be noted that I only caught this because makepkg failed to build
a certain package due to a lack of write access to the home directory
(apacman AUR wrapper uses a restricted user to build).

There was that controversial change back in pacman 4.2 to prevent makepkg
running as root, I propose that makepkg should not run as the current user
either but instead a dedicated unprivileged user.

See here for more info: github.com/oshazard/apacman/issues/23

Sincerely,
hazard (Archlinux BBS and AUR)

P.S. apologies if this is a dupe, last message was rejected

More information about the pacman-dev mailing list