CVE-2019-18182
published 2020-02-24CVE-2019-18182: pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.67%
88.3th percentile
pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pacman_project | pacman | < 5.2 | 5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists in the download_with_xfercommand() function within conf.c in pacman before 5.2; monitor for arbitrary command injection via a non-default XferCommand configuration combined with attacker-controlled database/package retrieval. ↗
- →The upstream fix is available at the referenced commit; use it as a patch-level indicator to confirm whether a deployed pacman binary is patched. ↗
- ·Exploitation requires the user to have enabled a non-default XferCommand in pacman configuration; systems using only the default (no XferCommand set) are not exploitable. ↗
- ·Exploitation also requires unsigned databases to be in use; signed database enforcement mitigates the attack vector. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-18182 pacman: allows arbitrary command injection in conf.c in download_with_xfercommand function
bugzilla·2020-03-02·CVSS 9.8
CVE-2019-18182 [CRITICAL] CVE-2019-18182 pacman: allows arbitrary command injection in conf.c in download_with_xfercommand function
CVE-2019-18182 pacman: allows arbitrary command injection in conf.c in download_with_xfercommand function
pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package.
Reference and upstream commit:
https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee
Discussion:
Created pacman tracking bugs for this issue:
Affects: fedora-all [bug 1809299]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. R
Bugzilla
CVE-2019-18182 pacman: allows arbitrary command injection in conf.c in download_with_xfercommand function [fedora-all]
bugzilla·2020-03-02·CVSS 9.8
CVE-2019-18182 [CRITICAL] CVE-2019-18182 pacman: allows arbitrary command injection in conf.c in download_with_xfercommand function [fedora-all]
CVE-2019-18182 pacman: allows arbitrary command injection in conf.c in download_with_xfercommand function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558eehttps://git.archlinux.org/pacman.git/tree/src/pacman/conf.c?h=v5.1.3#n263https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yamlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIDJ4XKBZRRVRFFGKUA3ZU6NFIP5JUG3/https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558eehttps://git.archlinux.org/pacman.git/tree/src/pacman/conf.c?h=v5.1.3#n263https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yamlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIDJ4XKBZRRVRFFGKUA3ZU6NFIP5JUG3/
2020-02-24
Published