ASA-201903-7 generated external raw

[ASA-201903-7] pacman: arbitrary code execution
Arch Linux Security Advisory ASA-201903-7 ========================================= Severity: High Date : 2019-03-11 CVE-ID : CVE-2019-9686 Package : pacman Type : arbitrary code execution Remote : Yes Link : Summary ======= The package pacman before version 5.1.3-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.1.3-1. # pacman -Syu "pacman>=5.1.3-1" The problem has been fixed upstream in version 5.1.3. Workaround ========== None. Description =========== pacman prior to version 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c. Impact ====== A remote attacker in the position of man-in-the-middle or a malicious server is able to execute arbitrary code as root when a user installs a remote package via a specified URL. References ==========