Arch Linux pacman Remote Installation Directory Traversal Vulnerability



A vulnerability in pacman could allow an unauthenticated, remote attacker to excute arbitrary code on a targeted system.

The vulnerability exists in the curl_download_internal function, as defined in the lib/libalpm/dload.c source code file of the affected software, and is due to improper validation of user-supplied input when remote package installation operations are performed. An attacker with control of the remote package server, or with sufficient network access to perform a man-in-the-middle attack, could exploit this vulnerability by sending a Content-Disposition header that submits malicious input to the affected software when a user executes the pacman -U url command. A successful exploit could allow the attacker to place a file with malicious content on the users system that could execute arbitrary code with root privileges and completely compromise the system.

Arch Linux has confirmed the vulnerability and released software updates.

Security Impact Rating: Critical

CVE: CVE-2019-9686

Source:: Cisco Multivendor Vulnerability Alerts