oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration.
In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
High
Admin privileges needed
User Interaction
Passive
Minimal interaction
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18
security-advisories@github.com
https://github.com/AOSC-Dev/oma/pull/733
security-advisories@github.com
https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2
security-advisories@github.com
https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f
security-advisories@github.com