Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711134 (CVE-2019-18182, CVE-2019-18183, CVE-2019-9686) - sys-apps/pacman: multiple vulnerabilities (CVE-2019-{18182,18183,9686})
Summary: sys-apps/pacman: multiple vulnerabilities (CVE-2019-{18182,18183,9686})
Status: RESOLVED FIXED
Alias: CVE-2019-18182, CVE-2019-18183, CVE-2019-9686
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Deadline: 2020-07-29
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [ebuild cve]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2020-03-01 01:55 UTC by Sam James
Modified: 2020-07-29 11:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-01 01:55:55 UTC
1) CVE-2019-18182:
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18182

Description:
"pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package."

Patch: https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee

2) CVE-2019-18183:
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18183

Description:
"pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file."

Patch: https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b

---
Both vulnerabilities require non-default configuration.
Comment 1 Sam James archtester gentoo-dev Security 2020-03-01 01:57:49 UTC
NOTE: I have chosen C2 in the whiteboard because while pacman may be run as root, it seems unlikely and these vulnerabilities require a specific configuration.
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-02 22:01:24 UTC
Package has no stable ebuild, changing rating to ~2.

Maintainer is maintainer-wanted@, not proxy-maint@.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 04:32:36 UTC
CVE-2019-9686 (https://nvd.nist.gov/vuln/detail/CVE-2019-9686):
  pacman before 5.1.3 allows directory traversal when installing a remote
  package via a specified URL "pacman -U <url>" due to an unsanitized file
  name received from a Content-Disposition header. pacman renames the
  downloaded package file to match the name given in this header. However,
  pacman did not sanitize this name, which may contain slashes, before calling
  rename(). A malicious server (or a network MitM if downloading over HTTP)
  can send a Content-Disposition header to make pacman place the file anywhere
  in the filesystem, potentially leading to arbitrary root code execution.
  Notably, this bypasses pacman's package signature checking. This occurs in
  curl_download_internal in lib/libalpm/dload.c.
Comment 4 John Helmert III gentoo-dev Security 2020-06-28 22:33:06 UTC
CCing treecleaner. Unmaintained in Gentoo, serious security issues.
Comment 5 Larry the Git Cow gentoo-dev 2020-06-29 07:26:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=998ca28d3b4397e3cdef0c5b9d9c81c81eda7918

commit 998ca28d3b4397e3cdef0c5b9d9c81c81eda7918
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-06-29 07:26:14 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-06-29 07:26:14 +0000

    package.mask: Last rite sys-apps/pacman
    
    Bug: https://bugs.gentoo.org/711134
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 6 Larry the Git Cow gentoo-dev 2020-07-29 11:31:45 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1229b2908e47bb2fed9cf77013f0440a421e1708

commit 1229b2908e47bb2fed9cf77013f0440a421e1708
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2020-07-29 11:29:19 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2020-07-29 11:31:31 +0000

    sys-apps/pacman: remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/659474
    Closes: https://bugs.gentoo.org/627342
    Closes: https://bugs.gentoo.org/627348
    Closes: https://bugs.gentoo.org/711134
    
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>

 sys-apps/pacman/Manifest                           |   1 -
 .../pacman/files/pacman-5.0.2-CVE-2016-5434.patch  | 136 ---------------------
 sys-apps/pacman/metadata.xml                       |  17 ---
 sys-apps/pacman/pacman-5.0.2-r2.ebuild             | 117 ------------------
 4 files changed, 271 deletions(-)