Oma
Monthly
oma package manager prior to version 1.25.2 fails to validate the name field in Topic Manifest metadata, allowing remote attackers with high privileges and network access to inject malicious APT source entries into /etc/apt/sources.list.d/atm.list. This manipulation could lead to supply chain attacks by redirecting package installation to attacker-controlled repositories, though exploitation requires specific preconditions including user interaction and partial attack timing. The vulnerability has been fixed in version 1.25.2.
oma package manager prior to version 1.25.2 fails to validate the name field in Topic Manifest metadata, allowing remote attackers with high privileges and network access to inject malicious APT source entries into /etc/apt/sources.list.d/atm.list. This manipulation could lead to supply chain attacks by redirecting package installation to attacker-controlled repositories, though exploitation requires specific preconditions including user interaction and partial attack timing. The vulnerability has been fixed in version 1.25.2.