Arch Linux alert ASA-201910-13 (pacman)
| From: | Morten Linderud <foxboron@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-201910-13] pacman: arbitrary command execution | |
| Date: | Wed, 23 Oct 2019 16:20:15 +0200 | |
| Message-ID: | <20191023142015.uwqmxqaciqryhvuv@anathema> |
Arch Linux Security Advisory ASA-201910-13 ========================================== Severity: High Date : 2019-10-23 CVE-ID : CVE-2019-18182 CVE-2019-18183 Package : pacman Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-1049 Summary ======= The package pacman before version 5.2.0-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 5.2.0-1. # pacman -Syu "pacman>=5.2.0-1" The problems have been fixed upstream in version 5.2.0. Workaround ========== For CVE-2019-18182: Ensure `XferCommand` is commented out in `/etc/pacman.conf` For CVE-2019-18183: Ensure `UseDelta` is commented out in `/etc/pacman.conf` Description =========== - CVE-2019-18182 (arbitrary command execution) pacman before 5.2 is vulnerable to arbitrary command injection in src/pacman/conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package. - CVE-2019-18183 (arbitrary command execution) pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file. Impact ====== A remote attacker is able to execute arbitrary commands on the host with a specially crafted database and a package or delta file. References ========== https://git.archlinux.org/pacman.git/tree/src/pacman/conf... https://git.archlinux.org/pacman.git/commit/?id=808a4f15c... https://git.archlinux.org/pacman.git/tree/lib/libalpm/syn... https://git.archlinux.org/pacman.git/commit/?id=c0e9be797... https://security.archlinux.org/CVE-2019-18182 https://security.archlinux.org/CVE-2019-18183