CVE-2019-9686
published 2019-03-11CVE-2019-9686: pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
3.39%
87.3th percentile
pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pacman_project | pacman | < 5.1.3 | 5.1.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-9686 pacman: directory traversal vulnerability in lib/libalpm/dload.c [fedora-all]
bugzilla·2019-03-12·CVSS 8.8
CVE-2019-9686 [HIGH] CVE-2019-9686 pacman: directory traversal vulnerability in lib/libalpm/dload.c [fedora-all]
CVE-2019-9686 pacman: directory traversal vulnerability in lib/libalpm/dload.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2019-9686 pacman: directory traversal vulnerability in lib/libalpm/dload.c
bugzilla·2019-03-12·CVSS 8.8
CVE-2019-9686 [HIGH] CVE-2019-9686 pacman: directory traversal vulnerability in lib/libalpm/dload.c
CVE-2019-9686 pacman: directory traversal vulnerability in lib/libalpm/dload.c
pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
Upstream commit
https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bdehttps://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bdehttps://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775
2019-03-11
Published