CVE-2019-18183

Name of the Vulnerable Software and Affected Versions pacman versions prior to 5.2

Description The issue allows for arbitrary command injection in the apply deltas() function, located in lib/libalpm/sync.c. This can be exploited when unsigned databases are used, and the user has enabled the non-default delta feature. The exploitation requires the user to retrieve an attacker-controlled crafted database and delta file.

Recommendations For versions prior to 5.2, update to version 5.2 or later to resolve the issue. As a temporary workaround, consider disabling the delta feature until a patch is available. Avoid using unsigned databases to minimize the risk of exploitation.