"pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package."
"pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file."
Both vulnerabilities require non-default configuration.
NOTE: I have chosen C2 in the whiteboard because while pacman may be run as root, it seems unlikely and these vulnerabilities require a specific configuration.
Package has no stable ebuild, changing rating to ~2.
Maintainer is maintainer-wanted@, not proxy-maint@.
pacman before 5.1.3 allows directory traversal when installing a remote
package via a specified URL "pacman -U <url>" due to an unsanitized file
name received from a Content-Disposition header. pacman renames the
downloaded package file to match the name given in this header. However,
pacman did not sanitize this name, which may contain slashes, before calling
rename(). A malicious server (or a network MitM if downloading over HTTP)
can send a Content-Disposition header to make pacman place the file anywhere
in the filesystem, potentially leading to arbitrary root code execution.
Notably, this bypasses pacman's package signature checking. This occurs in
curl_download_internal in lib/libalpm/dload.c.
CCing treecleaner. Unmaintained in Gentoo, serious security issues.
The bug has been referenced in the following commit(s):
Author: Michał Górny <firstname.lastname@example.org>
AuthorDate: 2020-06-29 07:26:14 +0000
Commit: Michał Górny <email@example.com>
CommitDate: 2020-06-29 07:26:14 +0000
package.mask: Last rite sys-apps/pacman
Signed-off-by: Michał Górny <firstname.lastname@example.org>
profiles/package.mask | 6 ++++++
1 file changed, 6 insertions(+)
The bug has been closed via the following commit(s):
Author: Mikle Kolyada <email@example.com>
AuthorDate: 2020-07-29 11:29:19 +0000
Commit: Mikle Kolyada <firstname.lastname@example.org>
CommitDate: 2020-07-29 11:31:31 +0000
sys-apps/pacman: remove last-rited pkg
Signed-off-by: Mikle Kolyada <email@example.com>
sys-apps/pacman/Manifest | 1 -
.../pacman/files/pacman-5.0.2-CVE-2016-5434.patch | 136 ---------------------
sys-apps/pacman/metadata.xml | 17 ---
sys-apps/pacman/pacman-5.0.2-r2.ebuild | 117 ------------------
4 files changed, 271 deletions(-)