Solus eopkg Package Manager Path Traversal Vulnerability
Vulnerability
A vulnerability in the Solus package manager eopkg, affecting versions through 4.3.4, allows malicious packages to include untracked files. These files, not visible through eopkg's standard tools, could escape the designated installation directory and bypass important file integrity checks. This issue could lead to files being installed multiple times or not being properly managed by the package manager.
Impact
Exploitation of this vulnerability could result in files being installed from untrusted packages without proper oversight, potentially leading to system compromise.
Reproduction
The vulnerability can be reproduced by crafting a malicious eopkg package that includes files with relative paths designed to escape the normal installation directory. When this package is installed using eopkg, the package manager will ignore the untracked files but may inadvertently install them twice if they bypass the usr-merge checks.
Remediation
Users should update to eopkg version 4.4.0, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.