[pacman-dev] [GIT] The official pacman repository branch, master, updated. v5.1.1-140-gd197d8ab

Allan McRae allan at archlinux.org
Fri Mar 1 01:40:23 UTC 2019

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The official pacman repository".

The branch, master has been updated
       via  d197d8ab82cf10650487518fb968067897a12775 (commit)
      from  adb961a88e6644d5edb16cfcb5dbd1f02e4a1781 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d197d8ab82cf10650487518fb968067897a12775
Author: Andrew Gregory <andrew.gregory.8 at gmail.com>
Date:   Fri Mar 1 11:23:20 2019 +1000

    Sanitize file name received from Content-Disposition header
    When installing a remote package with "pacman -U <url>", pacman renames
    the downloaded package file to match the name given in the
    Content-Disposition header. However, pacman does not sanitize this name,
    which may contain slashes, before calling rename(). A malicious server (or
    a network MitM if downloading over HTTP) can send a content-disposition
    header to make pacman place the file anywhere in the filesystem,
    potentially leading to arbitrary root code execution. Notably, this
    bypasses pacman's package signature checking.
    For example, a malicious package-hosting server (or a network
    man-in-the-middle, if downloading over HTTP) could serve the following
    Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook
    and pacman would move the downloaded file to
    /usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would
    later fail, unable to find the downloaded package in the cache directory,
    but the hook file would remain in place. The commands in the malicious
    hook would then be run (as root) the next time any package is installed.
    Discovered-by: Adam Suhl <asuhl at mit.edu>
    Signed-off-by: Allan McRae <allan at archlinux.org>


Summary of changes:
 lib/libalpm/dload.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

The official pacman repository

More information about the pacman-dev mailing list