Arch Linux Security Advisory ASA-201903-7 ========================================= Severity: High Date : 2019-03-11 CVE-ID : CVE-2019-9686 Package : pacman Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-921 Summary ======= The package pacman before version 5.1.3-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.1.3-1. # pacman -Syu " pacman >=5.1.3-1" The problem has been fixed upstream in version 5.1.3. Workaround ========== None. Description =========== pacman prior to version 5.1.3 allows directory traversal when installing a remote package via a specified URL " pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman 's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c. Impact ====== A remote attacker in the position of man-in-the-middle or a malicious server is able to execute arbitrary code as root when a user installs a remote package via a specified URL. References ========== https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84