CVE-2019-9686

Name of the Vulnerable Software and Affected Versions pacman versions prior to 5.1.3

Description The issue allows directory traversal when installing a remote package via a specified URL, due to an unsanitized file name received from a Content-Disposition header. This can lead to arbitrary root code execution, bypassing package signature checking. A malicious server or a network MitM can send a Content-Disposition header to make pacman place the file anywhere in the filesystem.

Recommendations For versions prior to 5.1.3, update to version 5.1.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the -U option with URLs to minimize the risk of exploitation. Restrict access to the curl download internal function in lib/libalpm/dload.c to minimize the risk of exploitation.