CVE-2026-44604
Description
A command injection vulnerability was discovered in the rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in rpmuncompress allows arbitrary command execution when extracting a malicious archive with shell metacharacters in the top-level folder name.
Vulnerability
The rpmuncompress utility in RPM versions including rpm-6.0.1-5.1.hum1 (upstream 6.0.1) contains a command injection flaw in the doUntar() function when extracting archives via the -x -C path for single-root extractable formats (ZIP, 7z, GEM). The top-level directory name from the archive is inserted into a popen() shell command without sanitization, allowing shell metacharacters such as single quotes to execute arbitrary commands. The vulnerable code is in tools/rpmuncompress.cc [1][2].
Exploitation
An attacker crafts a malicious archive whose top-level folder name contains shell metacharacters (e.g., a single quote). The victim must extract the archive using rpmuncompress -x -C or via RPM source-preparation workflows (%setup/%autosetup -C). No authentication is required beyond user interaction; the attacker only needs to supply the archive. The extraction process passes the folder name unsanitized to popen(), leading to command execution with the privileges of the user running the extraction [2].
Impact
Successful exploitation results in arbitrary command execution on the target system, potentially leading to complete compromise of confidentiality, integrity, and availability (CIA). The CVSS v3 base score is 7.0 (High), with the attack vector being local but requiring user interaction [1][2].
Mitigation
As of the publication date (2026-05-28), no official patch has been released. A proposed fix has been submitted upstream (see Bugzilla [2]), but the fixed version is unknown. Users should avoid extracting untrusted archives with rpmuncompress -x -C or disable the use of the utility in build workflows until a patch is applied. No workaround is available beyond not using the vulnerable functionality [2].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing shell escaping of the archive top-level directory name before interpolation into a `popen()` shell command allows single-quote breakout and arbitrary command execution."
Attack vector
An attacker crafts an archive (ZIP, 7z, or GEM) whose top-level directory name contains a single quote and a shell payload, such as `evil'$(touch /tmp/poc)'` [ref_id=1]. When a user or build workflow processes the archive via `rpmuncompress -x -C <dest> <archive>`, the `doUntar()` function builds a shell command using `popen()` and inserts the unsanitized directory name inside single quotes [ref_id=1]. The embedded single quote breaks out of the quoting context, allowing arbitrary shell command execution with the privileges of the user running the extraction [ref_id=1]. The attack requires local delivery of the malicious archive and user interaction (processing the archive), but no prior privileges on the target system [ref_id=1].
Affected code
The vulnerable code is in `tools/rpmuncompress.cc` in the `doUntar()` function. The `singleRoot()` function reads the archive's top-level directory name (`sr`) from archive metadata, and `doUntar()` interpolates that name directly into a shell command string passed to `popen()` without escaping embedded single quotes [ref_id=1]. This affects the `-x -C` extraction path for ZIP, 7z, and GEM archives that have a single top-level directory [ref_id=1].
What the fix does
The proposed fix introduces a `shSingleQuoteEscape()` function that replaces each embedded single quote in the `sr` string with the shell-safe sequence `'\''` before interpolation [ref_id=1]. The escaped string `sr_esc` is then used in the `rasprintf()` call that builds the `moveup` shell command, preventing quote breakout [ref_id=1]. The long-term recommended remediation is to avoid shell composition for file moves entirely and use filesystem APIs directly [ref_id=1]. No official upstream patch has been confirmed as published at the time of the report [ref_id=1].
Preconditions
- inputAttacker must supply a malicious archive (ZIP, 7z, or GEM) with a single top-level directory whose name contains a single quote and shell payload
- authA user or automated build workflow must process the archive through the `rpmuncompress -x -C` extraction path
- inputThe archive must have a single top-level directory (singleRoot() returns non-NULL)
- configThe vulnerable branch is reachable via RPM source-preparation workflows using `%setup/%autosetup -C`
Reproduction
1. Create a ZIP archive with a malicious top-level directory name containing a single quote and shell payload: ```bash python3 - <<'PY' import zipfile name = "evil'$(touch /tmp/rpmuncompress_poc)'" with zipfile.ZipFile("/tmp/poc.zip", "w") as z: z.writestr(f"{name}/README.txt", "x") PY ``` 2. Trigger the vulnerable extraction path: ```bash mkdir -p /tmp/out rpmuncompress -x -C /tmp/out /tmp/poc.zip ``` 3. Verify command execution: ```bash test -f /tmp/rpmuncompress_poc && echo "INJECTED" ``` [ref_id=1]
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.