Subject: [ASA-201903-7] pacman: arbitrary code execution Arch Linux Security Advisory ASA-201903-7 ========================================= Severity: High Date : 2019-03-11 CVE-ID : CVE-2019-9686 Package : pacman Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-921 Summary ======= The package pacman before version 5.1.3-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.1.3-1. # pacman -Syu "pacman>=5.1.3-1" The problem has been fixed upstream in version 5.1.3. Workaround ========== None. Description =========== pacman prior to version 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c. Impact ====== A remote attacker in the position of man-in-the-middle or a malicious server is able to execute arbitrary code as root when a user installs a remote package via a specified URL. References ========== https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84 https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775 https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bde https://security.archlinux.org/CVE-2019-9686