Solus eopkg Package Manager Path Traversal Vulnerability Allowing Arbitrary File Installation

A path traversal vulnerability has been identified in the Solus package manager eopkg, affecting versions prior to 4.4.0. This vulnerability allows a malicious package to escape the directory specified by the --destdir option, leading to files being installed in unintended locations on the host system. The issue arises when a package is sourced from a malicious or compromised origin. Although the vulnerability does not impact users who only install packages from the official Solus repositories, it poses a risk to those who download packages from untrusted sources.

Impact

Exploitation of this vulnerability could result in unauthorized files being installed outside of the designated --destdir directory, potentially leading to system compromise.

Reproduction

To reproduce this vulnerability, create a malicious eopkg package that includes files with relative paths designed to escape the --destdir directory. Install the package using the eopkg command with the --destdir option, directing it to a temporary directory. During the installation, the package manager will extract the files, including those with escaped paths, bypassing the intended directory restriction. After the installation, verify that the malicious files were extracted to locations outside of the specified --destdir.

Remediation

Users should update to eopkg version 4.4.0 or later, where this vulnerability has been fixed.