• Andrew Gregory's avatar
    Sanitize file name received from Content-Disposition header · d197d8ab
    Andrew Gregory authored and Allan McRae's avatar Allan McRae committed
    When installing a remote package with "pacman -U <url>", pacman renames
    the downloaded package file to match the name given in the
    Content-Disposition header. However, pacman does not sanitize this name,
    which may contain slashes, before calling rename(). A malicious server (or
    a network MitM if downloading over HTTP) can send a content-disposition
    header to make pacman place the file anywhere in the filesystem,
    potentially leading to arbitrary root code execution. Notably, this
    bypasses pacman's package signature checking.
    For example, a malicious package-hosting server (or a network
    man-in-the-middle, if downloading over HTTP) could serve the following
    Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook
    and pacman would move the downloaded file to
    /usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would
    later fail, unable to find the downloaded package in the cache directory,
    but the hook file would remain in place. The commands in the malicious
    hook would then be run (as root) the next time any package is installed.
    Discovered-by: default avatarAdam Suhl <asuhl@mit.edu>
    Signed-off-by: default avatarAllan McRae <allan@archlinux.org>