eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
A critical vulnerability exists in the Solus package manager (eopkg) allowing a malicious package to escape the designated installation directory specified by --destdir. This flaw enables attackers to overwrite arbitrary files on the system, potentially leading to system compromise and data exfiltration.
Step 1: Payload Creation: An attacker crafts a malicious eopkg package. This package includes files with deliberately crafted paths designed to escape the --destdir setting. For example, a file entry might specify a path like ../../../etc/passwd.
Step 2: Package Delivery: The attacker either hosts the malicious package on a compromised or malicious repository, or convinces a user to download and install the package from a trusted, but compromised, source.
Step 3: Installation with --destdir: The victim, unaware of the malicious intent, uses eopkg with the --destdir option to install the compromised package. This option is intended to install the package to a specific directory.
Step 4: Path Traversal: During the installation process, eopkg processes the file entries within the package. Due to the vulnerability, the crafted paths are not properly sanitized or validated.
Step 5: File Overwrite: The files with malicious paths are written to locations outside the intended --destdir, potentially overwriting critical system files (e.g., /etc/passwd, /etc/shadow), or installing malicious executables.
The vulnerability stems from a flaw in how eopkg handles package installation paths when the --destdir option is used. The root cause is likely an improper sanitization or validation of file paths within the package metadata or installation scripts. Specifically, the code fails to adequately prevent path traversal attacks. A malicious package can include file entries with crafted paths (e.g., ../../../etc/passwd) that, when processed by eopkg, bypass the intended destination directory and write files to arbitrary locations on the filesystem. This can lead to overwriting critical system files, injecting malicious code, or gaining unauthorized access.