CVE-2019-18182

Name of the Vulnerable Software and Affected Versions pacman versions prior to 5.2

Description The issue allows for arbitrary command injection in the download with xfercommand() function, located in conf.c. This can be exploited when unsigned databases are used, provided the user has enabled a non-default XferCommand and retrieves a crafted database and package from an attacker.

Recommendations For versions prior to 5.2, update to version 5.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of non-default XferCommands until a patch is applied. Restrict access to unsigned databases to minimize the risk of exploitation. Avoid retrieving packages from untrusted sources until the issue is resolved.