Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.

FS#73703 - Content injection in PGP import

Attached to Project: Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:21 GMT
Last edited by Allan McRae (Allan) - Tuesday, 08 March 2022, 00:03 GMT
Task Type Bug Report
Category Backend/Core
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Critical
Priority Normal
Reported Version 6.0.1
Due in Version 6.0.2
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


With escape sequences in the packager field of .PKGINFO one can trick a user to import a key with a fingerprint that does not match the one asked for

e.g. packager = foo bar <>^[[2K^[[0G:: Import PGP key DEADBEEF, "foo <bar>

This seems to be fairly trivial content injection in the pacman callback
function. There is some validation for emails before WKD lookups, but no
validation of the .PKGINFO which is read before signature verification.

On Arch this shouldn't be an issue since we rely on master key holders and
injection malicious keys would just not validate. But I'm unsure if other pacman
distros have other trust models?
This task depends upon

Closed by  Allan McRae (Allan)
Tuesday, 08 March 2022, 00:03 GMT
Reason for closing:  Fixed
Additional comments about closing:  git commit 632eb9739d23181996cc3f4fb069b81eb0e998c7
Comment by Allan McRae (Allan) - Sunday, 06 March 2022, 11:19 GMT
Looking into this. There are two places we read "packager" from. The repo database for pacman -S, or the package itself for pacman -U.

The repo-database should be fine - we have verified that before reading (assuming your distro signs its repo databases...).

For pacman -U, we need to get the email address from the packager field in .PKGINFO. To be safe, we probably should not do a WKD lookup for pacman -U cases, thus bypassing this issue.
Comment by Allan McRae (Allan) - Sunday, 06 March 2022, 11:27 GMT