Arch Linux alert ASA-201903-7 (pacman)
| From: | Levente Polyak <anthraxx@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-201903-7] pacman: arbitrary code execution | |
| Date: | Mon, 11 Mar 2019 21:50:36 +0100 | |
| Message-ID: | <a69b7499-ebf7-1d57-be44-8f0f3d583dbd@archlinux.org> |
Arch Linux Security Advisory ASA-201903-7 ========================================= Severity: High Date : 2019-03-11 CVE-ID : CVE-2019-9686 Package : pacman Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-921 Summary ======= The package pacman before version 5.1.3-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.1.3-1. # pacman -Syu "pacman>=5.1.3-1" The problem has been fixed upstream in version 5.1.3. Workaround ========== None. Description =========== pacman prior to version 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U <url>" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c. Impact ====== A remote attacker in the position of man-in-the-middle or a malicious server is able to execute arbitrary code as root when a user installs a remote package via a specified URL. References ========== https://git.archlinux.org/pacman.git/commit/?id=970270363... https://git.archlinux.org/pacman.git/commit/?id=d197d8ab8... https://git.archlinux.org/pacman.git/commit/?h=release/5.... https://security.archlinux.org/CVE-2019-9686