About Pacman

Pacman is a utility which manages software packages (processes that bundle and handle files for installation, upgrade, and replacement of system software) in Linux systems, including Arch Linux—an OS that emphasizes easy, stable “package management.” 

The cycle of software download, installation, and upgrade has its own set of security vulnerabilities, and it is important to ensure that attackers cannot introduce malicious code by replacing installation files, for example, or hijacking the directories used for package management.

Audit Description

Through OTF’s Security Lab, Trail of Bits conducted a whitebox audit of the Pacman module (in a whitebox review, testers have complete knowledge of the item being tested, including access to source code). They focused primarily on package signature verification, memory safety, data integrity during downloads and upgrades, and a new user-based isolation mechanism. The auditors sought to determine, among other risks, Pacman’s vulnerability to attacks that bypass package signature validation or compromise the signing infrastructure, or to the introduction of malicious code or metadata via database contents (which are unsigned by default) or via Arch Linux’s package repositories.

Scope

During November and December, 2023, a team of engineers conducted:

  • A lightweight threat model of the Pacman codebase and the portion of its infrastructure related to package signing and distribution
  • Non-exhaustive manual review of the Pacman codebase, as well as two security-relevant pull requests pending acceptance, with a focus on code paths pertaining to security-critical functionality, highlighted in the initial threat model
  • Static analysis of the Pacman codebase and manual triage of results
  • Dynamic analysis to identify instances of memory corruption and leaks
  • Fuzzing to identify inputs that could cause unexpected behavior at runtime

Coverage Limitations

Given the time-boxed nature of testing work, auditors encountered the following coverage limitations: 

  • Code of various dependencies used by Pacman, such as libarchive and gpgme
  • Auditors included signing/packaging infrastructure security controls in the threat model., but they did not have access to review the implementation during the code review.

Findings 

The audit found that Pacman is “well-designed, comprehensively-documented, and robust against common application security issues.” In terms of exposure, the findings included zero issues of High or Medium severity and a total of nine issues flagged as Low, Informational or Undetermined severity. While threat modeling revealed some scenarios that were plausible, the findings suggest that they would “require the confluence of several independent factors” to be successfully exploited by an attacker.

Some of the audit’s key recommendations to improve security and signing infrastructure for Pacman and Arch Linux included: 

  • new configurations to safeguard unsigned packages and any communications over insecure protocols (since databases are not currently signed
  • improved protections against malicious content delivered via renamed packages or fake higher-versioned packages
  • the creation of more detailed, formalized response plans for high-severity threat scenarios such as compromised keys for important roles, revocation of signatures, and the validation or onboarding of trusted signers. Per the report, a written response plan for those high-severity scenarios can “increase the team’s response time in the event the signing infrastructure is compromised.”

Remediation

Some of the issues noted in the audit report were previously known to the Arch Linux team and were already being rectified. For the nine key findings in the audit, a “fix review” by Trail of Bits during early March 2024 showed that seven of nine issues had been resolved and two more were partly resolved.


Full Report

Code