artoo/pacman
1
0
Fork 0
forked from mirrors/pacman
Code Pull Requests Activity

Compare commits

base: artoo:v5.1.2
Branches Tags
artoo:master artoo:allan/release artoo:morganamilo/audit artoo:allan/privsep artoo:morganamilo/exec artoo:release/6.0.x artoo:morganamilo/free-trans artoo:morganamilo/universal-transactions artoo:allan/pkgdiff artoo:andrew/pformat artoo:morganamilo/master artoo:allan/alternatives artoo:morganamilo/nullctarget artoo:morganamilo/pactrans artoo:morganamilo/nolockdownload artoo:morganamilo/file-iter artoo:morganamilo/queue artoo:morganamilo/nodownload artoo:morganamilo/qbackup artoo:morganamilo/notes artoo:release/5.2.x artoo:release/5.1.x artoo:release/5.0.x artoo:maint artoo:import-tars
artoo:v6.1.0 artoo:v6.0.2 artoo:v6.0.1 artoo:v6.0.0 artoo:v6.0.0alpha1 artoo:v5.2.2 artoo:v5.2.1 artoo:v5.2.0 artoo:last-deltapkgs-commit artoo:v5.1.3 artoo:v5.1.2 artoo:v3.0.0-rc2 artoo:v3.0.0-rc1 artoo:v3.0.0 artoo:v5.1.1 artoo:v5.1.0 artoo:v5.0.2 artoo:v5.0.1 artoo:v5.0.0 artoo:v4.2.1 artoo:v4.2.0 artoo:v4.1.2 artoo:v4.1.1 artoo:v4.1.0 artoo:v4.1.0rc1 artoo:v4.0.3 artoo:v4.0.2 artoo:v4.0.1 artoo:v4.0.0 artoo:v4.0.0rc2 artoo:v4.0.0rc1 artoo:v3.5.4 artoo:v3.5.3 artoo:v3.5.2 artoo:v3.5.1 artoo:v3.5.0 artoo:v3.4.3 artoo:v3.4.2 artoo:v3.4.1 artoo:v3.4.0 artoo:v3.3.3 artoo:v3.3.2 artoo:v3.3.1 artoo:v3.3.0 artoo:v3.2.2 artoo:v3.2.1 artoo:v3.2.0 artoo:v3.1.4 artoo:v3.1.3 artoo:v3.1.2 artoo:v3.1.1 artoo:v3.1.0 artoo:v3.0.6 artoo:v3.0.5 artoo:v3.0.4 artoo:v3.0.3 artoo:v3.0.2 artoo:v3.0.1 mirrors:v7.1.0 mirrors:v7.0.0 mirrors:v6.1.0 mirrors:v6.0.2 mirrors:v6.0.1 mirrors:v6.0.0 mirrors:v6.0.0alpha1 mirrors:v5.2.2 mirrors:v5.2.1 mirrors:v5.2.0 mirrors:v5.1.3 mirrors:v5.1.2 mirrors:v3.0.0-rc2 mirrors:v3.0.0-rc1 mirrors:v3.0.0 mirrors:v5.1.1 mirrors:v5.1.0 mirrors:v5.0.2 mirrors:v5.0.1 mirrors:v5.0.0 mirrors:v4.2.1 mirrors:v4.2.0 mirrors:v4.1.2 mirrors:v4.1.1 mirrors:v4.1.0 mirrors:v4.1.0rc1 mirrors:v4.0.3 mirrors:v4.0.2 mirrors:v4.0.1 mirrors:v4.0.0 mirrors:v4.0.0rc2 mirrors:v4.0.0rc1 mirrors:v3.5.4 mirrors:v3.5.3 mirrors:v3.5.2 mirrors:v3.5.1 mirrors:v3.5.0 mirrors:v3.4.3 mirrors:v3.4.2 mirrors:v3.4.1 mirrors:v3.4.0 mirrors:v3.3.3 mirrors:v3.3.2 mirrors:v3.3.1 mirrors:v3.3.0 mirrors:v3.2.2 mirrors:v3.2.1 mirrors:v3.2.0 mirrors:v3.1.4 mirrors:v3.1.3 mirrors:v3.1.2 mirrors:v3.1.1 mirrors:v3.1.0 mirrors:v3.0.6 mirrors:v3.0.5 mirrors:v3.0.4 mirrors:v3.0.3 mirrors:v3.0.2 mirrors:v3.0.1 mirrors:last-deltapkgs-commit
...
compare: artoo:v5.1.3
Branches Tags
artoo:master artoo:allan/release artoo:morganamilo/audit artoo:allan/privsep artoo:morganamilo/exec artoo:release/6.0.x artoo:morganamilo/free-trans artoo:morganamilo/universal-transactions artoo:allan/pkgdiff artoo:andrew/pformat artoo:morganamilo/master artoo:allan/alternatives artoo:morganamilo/nullctarget artoo:morganamilo/pactrans artoo:morganamilo/nolockdownload artoo:morganamilo/file-iter artoo:morganamilo/queue artoo:morganamilo/nodownload artoo:morganamilo/qbackup artoo:morganamilo/notes artoo:release/5.2.x artoo:release/5.1.x artoo:release/5.0.x artoo:maint artoo:import-tars mirrors:master mirrors:allan/splitpkg2 mirrors:allan/hooks mirrors:release/7.1.x mirrors:release/7.0.x mirrors:morganamilo/universal-transactions mirrors:morganamilo/trans_idle mirrors:morganamilo/untrusted-keys mirrors:andrew/preremove mirrors:morganamilo/fix-download mirrors:morganamilo/fixsync mirrors:release/6.1.x mirrors:morganamilo/partialup mirrors:morganamilo/debugspace mirrors:andrew/nolock mirrors:morganamilo/audit mirrors:morganamilo/exec mirrors:release/6.0.x mirrors:morganamilo/free-trans mirrors:allan/pkgdiff mirrors:andrew/pformat mirrors:morganamilo/master mirrors:allan/alternatives mirrors:morganamilo/nullctarget mirrors:morganamilo/pactrans mirrors:morganamilo/nolockdownload mirrors:morganamilo/file-iter mirrors:morganamilo/queue mirrors:morganamilo/nodownload mirrors:morganamilo/qbackup mirrors:morganamilo/notes mirrors:release/5.2.x mirrors:release/5.1.x mirrors:andrew/test/makepkg mirrors:release/5.0.x mirrors:maint mirrors:import-tars
artoo:v6.1.0 artoo:v6.0.2 artoo:v6.0.1 artoo:v6.0.0 artoo:v6.0.0alpha1 artoo:v5.2.2 artoo:v5.2.1 artoo:v5.2.0 artoo:last-deltapkgs-commit artoo:v5.1.3 artoo:v5.1.2 artoo:v3.0.0-rc2 artoo:v3.0.0-rc1 artoo:v3.0.0 artoo:v5.1.1 artoo:v5.1.0 artoo:v5.0.2 artoo:v5.0.1 artoo:v5.0.0 artoo:v4.2.1 artoo:v4.2.0 artoo:v4.1.2 artoo:v4.1.1 artoo:v4.1.0 artoo:v4.1.0rc1 artoo:v4.0.3 artoo:v4.0.2 artoo:v4.0.1 artoo:v4.0.0 artoo:v4.0.0rc2 artoo:v4.0.0rc1 artoo:v3.5.4 artoo:v3.5.3 artoo:v3.5.2 artoo:v3.5.1 artoo:v3.5.0 artoo:v3.4.3 artoo:v3.4.2 artoo:v3.4.1 artoo:v3.4.0 artoo:v3.3.3 artoo:v3.3.2 artoo:v3.3.1 artoo:v3.3.0 artoo:v3.2.2 artoo:v3.2.1 artoo:v3.2.0 artoo:v3.1.4 artoo:v3.1.3 artoo:v3.1.2 artoo:v3.1.1 artoo:v3.1.0 artoo:v3.0.6 artoo:v3.0.5 artoo:v3.0.4 artoo:v3.0.3 artoo:v3.0.2 artoo:v3.0.1 mirrors:v7.1.0 mirrors:v7.0.0 mirrors:v6.1.0 mirrors:v6.0.2 mirrors:v6.0.1 mirrors:v6.0.0 mirrors:v6.0.0alpha1 mirrors:v5.2.2 mirrors:v5.2.1 mirrors:v5.2.0 mirrors:v5.1.3 mirrors:v5.1.2 mirrors:v3.0.0-rc2 mirrors:v3.0.0-rc1 mirrors:v3.0.0 mirrors:v5.1.1 mirrors:v5.1.0 mirrors:v5.0.2 mirrors:v5.0.1 mirrors:v5.0.0 mirrors:v4.2.1 mirrors:v4.2.0 mirrors:v4.1.2 mirrors:v4.1.1 mirrors:v4.1.0 mirrors:v4.1.0rc1 mirrors:v4.0.3 mirrors:v4.0.2 mirrors:v4.0.1 mirrors:v4.0.0 mirrors:v4.0.0rc2 mirrors:v4.0.0rc1 mirrors:v3.5.4 mirrors:v3.5.3 mirrors:v3.5.2 mirrors:v3.5.1 mirrors:v3.5.0 mirrors:v3.4.3 mirrors:v3.4.2 mirrors:v3.4.1 mirrors:v3.4.0 mirrors:v3.3.3 mirrors:v3.3.2 mirrors:v3.3.1 mirrors:v3.3.0 mirrors:v3.2.2 mirrors:v3.2.1 mirrors:v3.2.0 mirrors:v3.1.4 mirrors:v3.1.3 mirrors:v3.1.2 mirrors:v3.1.1 mirrors:v3.1.0 mirrors:v3.0.6 mirrors:v3.0.5 mirrors:v3.0.4 mirrors:v3.0.3 mirrors:v3.0.2 mirrors:v3.0.1 mirrors:last-deltapkgs-commit

2 Commits
v5.1.2 ... v5.1.3

Author SHA1 Message Date
Allan McRae
1bf7672343 Release v5.1.3 
Signed-off-by: Allan McRae <allan@archlinux.org>
 2019-03-01 11:28:53 +10:00
Andrew Gregory
9702703633 Sanitize file name received from Content-Disposition header 
When installing a remote package with "pacman -U <url>", pacman renames
the downloaded package file to match the name given in the
Content-Disposition header. However, pacman does not sanitize this name,
which may contain slashes, before calling rename(). A malicious server (or
a network MitM if downloading over HTTP) can send a content-disposition
header to make pacman place the file anywhere in the filesystem,
potentially leading to arbitrary root code execution. Notably, this
bypasses pacman's package signature checking.

For example, a malicious package-hosting server (or a network
man-in-the-middle, if downloading over HTTP) could serve the following
header:

Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook

and pacman would move the downloaded file to
/usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would
later fail, unable to find the downloaded package in the cache directory,
but the hook file would remain in place. The commands in the malicious
hook would then be run (as root) the next time any package is installed.

Discovered-by: Adam Suhl <asuhl@mit.edu>
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit d197d8ab82)
 2019-03-01 11:25:46 +10:00
3 changed files with 6 additions and 3 deletions
Expand all files Collapse all files

2
NEWS
View File

@@ -1,5 +1,7 @@
VERSION DESCRIPTION
-----------------------------------------------------------------------------
5.1.3 - Sanitize file path received from Content-Disposition header
to fix potential arbitary code execution
5.1.2 - pacman-conf: add missing DisableDownloadTimeout support
- Include version when checking optdepend install status
during -Qi (FS#60106)

4
configure.ac
View File

@@ -42,12 +42,12 @@ AC_PREREQ(2.64)
# pacman_version_micro += 1
m4_define([lib_current], [11])
m4_define([lib_revision], [2])
m4_define([lib_revision], [3])
m4_define([lib_age], [0])
m4_define([pacman_version_major], [5])
m4_define([pacman_version_minor], [1])
m4_define([pacman_version_micro], [2])
m4_define([pacman_version_micro], [3])
m4_define([pacman_version],
[pacman_version_major.pacman_version_minor.pacman_version_micro])

3
lib/libalpm/dload.c
View File

@@ -534,7 +534,8 @@ static int curl_download_internal(struct dload_payload *payload,
if(payload->content_disp_name) {
/* content-disposition header has a better name for our file */
free(payload->destfile_name);
payload->destfile_name = get_fullpath(localpath, payload->content_disp_name, "");
payload->destfile_name = get_fullpath(localpath,
get_filename(payload->content_disp_name), "");
} else {
const char *effective_filename = strrchr(effective_url, '/');
if(effective_filename && strlen(effective_filename) > 2) {