Pacman: arbitrary code execution

Vulnerability just announced yesterday:

It was fixed for v5.1.3-1, which was released back on 2019-03-01 so update now if you’re on an older version.


Thx for sharing the warning @Head_on_a_Stick , appreciated.

@head Can I feel comfortable?

[don@don-pc ~]$ pacman -Qi pacman
[sudo] password di don: 
Nome                      : pacman
Versione                  : 5.1.3-1
Descrizione               : A library-based package manager with dependency
Architettura              : x86_64
URL                       :
Licenze                   : GPL
Gruppi                    : base  base-devel
Fornisce                  : Nessuno
Dipenda da                : bash  glibc  libarchive  curl  gpgme
                            pacman-mirrorlist  archlinux-keyring
Dipendenze opzionali      : perl-locale-gettext: translation support in
                            xdelta3: delta support in repo-add
Richiesto da              : arch-install-scripts  package-query  pacli
                            pacman-contrib  yaourt  yay
Opzionale per             : Nessuno
Conflitti con             : Nessuno
Sostituisce               : Nessuno
Spazio richiesto          : 4,60 MiB
Pacchettizzatore          : Allan McRae <>
Data di creazione         : ven 01 mar 2019 02:41:56 CET
Data di installazione     : ven 01 mar 2019 14:10:31 CET
Motivo dell'installazione : Installato esplicitamente
Script di install         : No
Convalidato da            : Firma

[don@don-pc ~]$ 
1 Like

Looks good to me @ector

Thanks @Head_on_a_Stick!

1 Like

Good thing they picked up on that one, wouldnt be very nice to have pacman let in a nasty script. Not sure i understand what is going on though, does this mean you need to download say a PKGBUILD or official looking tarball via an external source or could the mitm attack come from inside offical ARCH/AUR repos as well?

Yes, you have the fixed version.

Me neither :grin:

I think it only applies if you run pacman -U with a URL for a malicious server as the argument, in which case the server can make pacman place a file anywhere on the system thus leading to potential arbitrary code execution as root.