[ASA-201910-13] pacman: arbitrary command execution

Morten Linderud foxboron at archlinux.org
Wed Oct 23 14:20:15 UTC 2019


Arch Linux Security Advisory ASA-201910-13
==========================================

Severity: High
Date    : 2019-10-23
CVE-ID  : CVE-2019-18182 CVE-2019-18183
Package : pacman
Type    : arbitrary command execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1049

Summary
=======

The package pacman before version 5.2.0-1 is vulnerable to arbitrary
command execution.

Resolution
==========

Upgrade to 5.2.0-1.

# pacman -Syu "pacman>=5.2.0-1"

The problems have been fixed upstream in version 5.2.0.

Workaround
==========

For CVE-2019-18182:
    Ensure `XferCommand` is commented out in `/etc/pacman.conf`

For CVE-2019-18183:
    Ensure `UseDelta` is commented out in `/etc/pacman.conf`

Description
===========

- CVE-2019-18182 (arbitrary command execution)

pacman before 5.2 is vulnerable to arbitrary command injection in
src/pacman/conf.c in the download_with_xfercommand() function. This can
be exploited when unsigned databases are used. To exploit the
vulnerability, the user must enable a non-default XferCommand and
retrieve an attacker-controlled crafted database and package.

- CVE-2019-18183 (arbitrary command execution)

pacman before 5.2 is vulnerable to arbitrary command injection in
lib/libalpm/sync.c in the apply_deltas() function. This can be
exploited when unsigned databases are used. To exploit the
vulnerability, the user must enable the non-default delta feature and
retrieve an attacker-controlled crafted database and delta file.

Impact
======

A remote attacker is able to execute arbitrary commands on the host
with a specially crafted database and a package or delta file.

References
==========

https://git.archlinux.org/pacman.git/tree/src/pacman/conf.c?h=v5.1.3#n263
https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee
https://git.archlinux.org/pacman.git/tree/lib/libalpm/sync.c?h=v5.1.3#n767
https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b
https://security.archlinux.org/CVE-2019-18182
https://security.archlinux.org/CVE-2019-18183
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20191023/c5a65f80/attachment.sig>


More information about the arch-security mailing list