RPM Command Injection Vulnerability in rpmuncompress Utility

A command injection vulnerability exists in the RPM utility's rpmuncompress command, specifically when extracting certain archive formats such as ZIP, 7z, and GEM. The vulnerability arises because the tool improperly sanitizes the top-level folder name of the archive before inserting it into a shell command. This flaw allows a specially crafted archive with shell metacharacters in its folder name to execute arbitrary commands as the user performing the extraction. The issue is confirmed in RPM version 6.0.1-5.1.hum1 and likely affects other versions with the same vulnerability structure.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the context of the user running the extraction, potentially leading to unauthorized file modifications or disruptions in the build process.

Reproduction

To reproduce this vulnerability, create a ZIP archive with a single top-level directory name that includes a shell payload, such as a command to create a file in the /tmp directory. Then, use the rpmuncompress command with the -x and -C options to extract the archive to a specified output directory. After extraction, check for the presence of the injected file to confirm that the command was executed. This vulnerability can also be verified non-destructively by using the rpmuncompress command with the -n option, which shows the generated shell command without executing it.

Remediation

Avoid processing untrusted archives with the rpmuncompress command, especially through workflows that use '%setup' or '%autosetup -C', as these can trigger the vulnerable extraction path. Treat source archives as trusted inputs in build and continuous integration pipelines.