CVE-2019-18183
published 2020-02-24CVE-2019-18183: pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.67%
88.3th percentile
pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pacman_project | pacman | < 5.2 | 5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable code is located in lib/libalpm/sync.c within the apply_deltas() function — monitor for command injection attempts targeting this code path in pacman versions before 5.2 ↗
- →Exploitation requires the delta feature to be enabled (non-default) and an attacker-controlled database and delta file to be retrieved — alert on pacman delta feature usage combined with unsigned database configurations ↗
- ·Exploitation is only possible when unsigned databases are in use — systems enforcing database signature verification are not exploitable via this vector ↗
- ·The delta feature is non-default; exploitation requires the user to have explicitly enabled it in their pacman configuration ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-18183 pacman: allows arbitrary command injection in lib/libalpm/sync.c in apply_deltas function
bugzilla·2020-03-02·CVSS 9.8
CVE-2019-18183 [CRITICAL] CVE-2019-18183 pacman: allows arbitrary command injection in lib/libalpm/sync.c in apply_deltas function
CVE-2019-18183 pacman: allows arbitrary command injection in lib/libalpm/sync.c in apply_deltas function
pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.
Reference and upstream commit:
https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b
Discussion:
Created pacman tracking bugs for this issue:
Affects: fedora-all [bug 1809301]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat produ
Bugzilla
CVE-2019-18183 pacman: allows arbitrary command injection in lib/libalpm/sync.c in apply_deltas function [fedora-all]
bugzilla·2020-03-02·CVSS 9.8
CVE-2019-18183 [CRITICAL] CVE-2019-18183 pacman: allows arbitrary command injection in lib/libalpm/sync.c in apply_deltas function [fedora-all]
CVE-2019-18183 pacman: allows arbitrary command injection in lib/libalpm/sync.c in apply_deltas function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07bhttps://git.archlinux.org/pacman.git/tree/lib/libalpm/sync.c?h=v5.1.3#n767https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yamlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIDJ4XKBZRRVRFFGKUA3ZU6NFIP5JUG3/https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07bhttps://git.archlinux.org/pacman.git/tree/lib/libalpm/sync.c?h=v5.1.3#n767https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yamlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIDJ4XKBZRRVRFFGKUA3ZU6NFIP5JUG3/
2020-02-24
Published