FS#73703 - Content injection in PGP import
Attached to Project:
Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:21 GMT
Last edited by Allan McRae (Allan) - Tuesday, 08 March 2022, 00:03 GMT
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:21 GMT
Last edited by Allan McRae (Allan) - Tuesday, 08 March 2022, 00:03 GMT
|
Details
With escape sequences in the packager field of .PKGINFO one
can trick a user to import a key with a fingerprint that
does not match the one asked for
e.g. packager = foo bar <>^[[2K^[[0G:: Import PGP key DEADBEEF, "foo <bar> This seems to be fairly trivial content injection in the pacman callback function. There is some validation for emails before WKD lookups, but no validation of the .PKGINFO which is read before signature verification. On Arch this shouldn't be an issue since we rely on master key holders and injection malicious keys would just not validate. But I'm unsure if other pacman distros have other trust models? |
This task depends upon
Closed by Allan McRae (Allan)
Tuesday, 08 March 2022, 00:03 GMT
Reason for closing: Fixed
Additional comments about closing: git commit 632eb9739d23181996cc3f4fb069b81eb0e998c7
Tuesday, 08 March 2022, 00:03 GMT
Reason for closing: Fixed
Additional comments about closing: git commit 632eb9739d23181996cc3f4fb069b81eb0e998c7
The repo-database should be fine - we have verified that before reading (assuming your distro signs its repo databases...).
For pacman -U, we need to get the email address from the packager field in .PKGINFO. To be safe, we probably should not do a WKD lookup for pacman -U cases, thus bypassing this issue.
https://lists.archlinux.org/pipermail/pacman-dev/2022-March/025541.html