Pacman: arbitrary code execution

security

#1

Vulnerability just announced yesterday:

https://security.archlinux.org/ASA-201903-7

It was fixed for v5.1.3-1, which was released back on 2019-03-01 so update now if you’re on an older version.


#2

Thx for sharing the warning @Head_on_a_Stick , appreciated.


#3

@head Can I feel comfortable?

[don@don-pc ~]$ pacman -Qi pacman
[sudo] password di don: 
Nome                      : pacman
Versione                  : 5.1.3-1
Descrizione               : A library-based package manager with dependency
                            support
Architettura              : x86_64
URL                       : https://www.archlinux.org/pacman/
Licenze                   : GPL
Gruppi                    : base  base-devel
Fornisce                  : Nessuno
Dipenda da                : bash  glibc  libarchive  curl  gpgme
                            pacman-mirrorlist  archlinux-keyring
Dipendenze opzionali      : perl-locale-gettext: translation support in
                            makepkg-template
                            xdelta3: delta support in repo-add
Richiesto da              : arch-install-scripts  package-query  pacli
                            pacman-contrib  yaourt  yay
Opzionale per             : Nessuno
Conflitti con             : Nessuno
Sostituisce               : Nessuno
Spazio richiesto          : 4,60 MiB
Pacchettizzatore          : Allan McRae <allan@archlinux.org>
Data di creazione         : ven 01 mar 2019 02:41:56 CET
Data di installazione     : ven 01 mar 2019 14:10:31 CET
Motivo dell'installazione : Installato esplicitamente
Script di install         : No
Convalidato da            : Firma

[don@don-pc ~]$ 

#4

Looks good to me @ector


#5

Thanks @Head_on_a_Stick!


#6

Good thing they picked up on that one, wouldnt be very nice to have pacman let in a nasty script. Not sure i understand what is going on though, does this mean you need to download say a PKGBUILD or official looking tarball via an external source or could the mitm attack come from inside offical ARCH/AUR repos as well?


#7

Yes, you have the fixed version.

Me neither :grin:

I think it only applies if you run pacman -U with a URL for a malicious server as the argument, in which case the server can make pacman place a file anywhere on the system thus leading to potential arbitrary code execution as root.