Main Vulnerability Database SB2019031120

SB2019031120 - Arch Linux update for pacman

Published: March 11, 2019 Updated: March 11, 2019

Security Bulletin ID SB2019031120

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2019-9686)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U <url>" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.

Remediation

Install update from vendor's website.

References

https://security.archlinux.org/advisory/ASA-201903-7