CVE-2019-9686 Information
Description
pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL \pacman -U url\ due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However pacman did not sanitize this name which may contain slashes before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem potentially leading to arbitrary root code execution. Notably this bypasses pacman’s package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Reference
https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bde
https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84
https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775
pacman
before
5.1.3
allows
directory
traversal
when
installing
a
remote
package
via
a
specified
URL
\pacman
-U
url
due
to
an
unsanitized
file
name
received
from
a
Content-Disposition
header.
pacman
renames
the
downloaded
package
file
to
match
the
name
given
in
this
header.
However
pacman
did
not
sanitize
this
name
which
may
contain
slashes
before
calling
rename().
A
malicious
server
(or
a
network
MitM
if
downloading
over
HTTP)
can
send
a
Content-Disposition
header
to
make
pacman
place
the
file
anywhere
in
the
filesystem
potentially
leading
to
arbitrary
root
code
execution.
Notably
this
bypasses
pacman’s
package
signature
checking.
This
occurs
in
curl_download_internal
in
lib/libalpm/dload.c.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: