Vulnerability just announced yesterday:
https://security.archlinux.org/ASA-201903-7
It was fixed for v5.1.3-1, which was released back on 2019-03-01 so update now if you’re on an older version.
3 Likes
@head Can I feel comfortable?
[don@don-pc ~]$ pacman -Qi pacman
[sudo] password di don:
Nome : pacman
Versione : 5.1.3-1
Descrizione : A library-based package manager with dependency
support
Architettura : x86_64
URL : https://www.archlinux.org/pacman/
Licenze : GPL
Gruppi : base base-devel
Fornisce : Nessuno
Dipenda da : bash glibc libarchive curl gpgme
pacman-mirrorlist archlinux-keyring
Dipendenze opzionali : perl-locale-gettext: translation support in
makepkg-template
xdelta3: delta support in repo-add
Richiesto da : arch-install-scripts package-query pacli
pacman-contrib yaourt yay
Opzionale per : Nessuno
Conflitti con : Nessuno
Sostituisce : Nessuno
Spazio richiesto : 4,60 MiB
Pacchettizzatore : Allan McRae <allan@archlinux.org>
Data di creazione : ven 01 mar 2019 02:41:56 CET
Data di installazione : ven 01 mar 2019 14:10:31 CET
Motivo dell'installazione : Installato esplicitamente
Script di install : No
Convalidato da : Firma
[don@don-pc ~]$
1 Like
Good thing they picked up on that one, wouldnt be very nice to have pacman let in a nasty script. Not sure i understand what is going on though, does this mean you need to download say a PKGBUILD or official looking tarball via an external source or could the mitm attack come from inside offical ARCH/AUR repos as well?
Yes, you have the fixed version.
Me neither 
I think it only applies if you run pacman -U with a URL for a malicious server as the argument, in which case the server can make pacman place a file anywhere on the system thus leading to potential arbitrary code execution as root.