Pacman: arbitrary code execution

Head_on_a_Stick · 2019-03-12 20:36:56 UTC

Vulnerability just announced yesterday:

https://security.archlinux.org/ASA-201903-7

It was fixed for v5.1.3-1, which was released back on 2019-03-01 so update now if you’re on an older version.

altman · 2019-03-12 20:37:53 UTC

Thx for sharing the warning @Head_on_a_Stick , appreciated.

ector · 2019-03-12 21:39:54 UTC

@head Can I feel comfortable?

[don@don-pc ~]$ pacman -Qi pacman
[sudo] password di don: 
Nome                      : pacman
Versione                  : 5.1.3-1
Descrizione               : A library-based package manager with dependency
                            support
Architettura              : x86_64
URL                       : https://www.archlinux.org/pacman/
Licenze                   : GPL
Gruppi                    : base  base-devel
Fornisce                  : Nessuno
Dipenda da                : bash  glibc  libarchive  curl  gpgme
                            pacman-mirrorlist  archlinux-keyring
Dipendenze opzionali      : perl-locale-gettext: translation support in
                            makepkg-template
                            xdelta3: delta support in repo-add
Richiesto da              : arch-install-scripts  package-query  pacli
                            pacman-contrib  yaourt  yay
Opzionale per             : Nessuno
Conflitti con             : Nessuno
Sostituisce               : Nessuno
Spazio richiesto          : 4,60 MiB
Pacchettizzatore          : Allan McRae <allan@archlinux.org>
Data di creazione         : ven 01 mar 2019 02:41:56 CET
Data di installazione     : ven 01 mar 2019 14:10:31 CET
Motivo dell'installazione : Installato esplicitamente
Script di install         : No
Convalidato da            : Firma

[don@don-pc ~]$

altman · 2019-03-12 21:41:54 UTC

Looks good to me @ector

Negata · 2019-03-12 22:00:49 UTC

Thanks @Head_on_a_Stick!

s7l · 2019-03-13 14:44:21 UTC

Good thing they picked up on that one, wouldnt be very nice to have pacman let in a nasty script. Not sure i understand what is going on though, does this mean you need to download say a PKGBUILD or official looking tarball via an external source or could the mitm attack come from inside offical ARCH/AUR repos as well?

Head_on_a_Stick · 2019-03-13 20:19:59 UTC

Yes, you have the fixed version.

Me neither

I think it only applies if you run pacman -U with a URL for a malicious server as the argument, in which case the server can make pacman place a file anywhere on the system thus leading to potential arbitrary code execution as root.