1) CVE-2019-18182: MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18182 Description: "pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package." Patch: https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee 2) CVE-2019-18183: MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18183 Description: "pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file." Patch: https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b --- Both vulnerabilities require non-default configuration.
NOTE: I have chosen C2 in the whiteboard because while pacman may be run as root, it seems unlikely and these vulnerabilities require a specific configuration.
Package has no stable ebuild, changing rating to ~2. Maintainer is maintainer-wanted@, not proxy-maint@.
CVE-2019-9686 (https://nvd.nist.gov/vuln/detail/CVE-2019-9686): pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U <url>" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
CCing treecleaner. Unmaintained in Gentoo, serious security issues.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=998ca28d3b4397e3cdef0c5b9d9c81c81eda7918 commit 998ca28d3b4397e3cdef0c5b9d9c81c81eda7918 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-06-29 07:26:14 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-06-29 07:26:14 +0000 package.mask: Last rite sys-apps/pacman Bug: https://bugs.gentoo.org/711134 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1229b2908e47bb2fed9cf77013f0440a421e1708 commit 1229b2908e47bb2fed9cf77013f0440a421e1708 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2020-07-29 11:29:19 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2020-07-29 11:31:31 +0000 sys-apps/pacman: remove last-rited pkg Closes: https://bugs.gentoo.org/659474 Closes: https://bugs.gentoo.org/627342 Closes: https://bugs.gentoo.org/627348 Closes: https://bugs.gentoo.org/711134 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> sys-apps/pacman/Manifest | 1 - .../pacman/files/pacman-5.0.2-CVE-2016-5434.patch | 136 --------------------- sys-apps/pacman/metadata.xml | 17 --- sys-apps/pacman/pacman-5.0.2-r2.ebuild | 117 ------------------ 4 files changed, 271 deletions(-)
