CVE-2019-9686 (GCVE-0-2019-9686)
Vulnerability from cvelistv5
Published
2019-03-11 16:00
Modified
2024-08-04 21:54
Severity ?
CWE
  • n/a
Summary
pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U <url>" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
References
cve@mitre.orghttps://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bdeMailing List, Third Party Advisory
cve@mitre.orghttps://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84Mailing List, Patch, Third Party Advisory
cve@mitre.orghttps://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bdeMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775Mailing List, Patch, Third Party Advisory
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T21:54:45.486Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x\u0026id=1bf767234363f7ad5933af3f7ce267c123017bde"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-03-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL \"pacman -U \u003curl\u003e\" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman\u0027s package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-11T16:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x\u0026id=1bf767234363f7ad5933af3f7ce267c123017bde"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-9686",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL \"pacman -U \u003curl\u003e\" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman\u0027s package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775",
              "refsource": "MISC",
              "url": "https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775"
            },
            {
              "name": "https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x\u0026id=1bf767234363f7ad5933af3f7ce267c123017bde",
              "refsource": "MISC",
              "url": "https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x\u0026id=1bf767234363f7ad5933af3f7ce267c123017bde"
            },
            {
              "name": "https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84",
              "refsource": "MISC",
              "url": "https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-9686",
    "datePublished": "2019-03-11T16:00:00",
    "dateReserved": "2019-03-11T00:00:00",
    "dateUpdated": "2024-08-04T21:54:45.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-9686\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-03-11T16:29:00.283\",\"lastModified\":\"2024-11-21T04:52:06.510\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL \\\"pacman -U \u003curl\u003e\\\" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman\u0027s package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.\"},{\"lang\":\"es\",\"value\":\"pacman, en versiones anteriores a la 5.1.3, permite un salto de directorio a la hora de instalar un paquete remoto mediante una URL \\\"pacman -U \\\" especificado debido a un nombre de archivo no saneado que se recibe desde una cabecera \\\"Content-Disposition\\\". pacman renombra el paquete de archivo descargado para que concuerde con el nombre proporcionado en la misma cabecera. Sin embargo, pacman no saneaba este nombre, el cual puede contener barras, antes de llamar a rename(). Un servidor malicioso (o un MitM en la red si la descarga se efect\u00faa sobre HTTP) puede enviar una cabecera \\\"Content-Disposition\\\" para hacer que pacman coloque el archivo en cualquier sitio en el sistema de archivos, conduciendo, potencialmente, a una ejecuci\u00f3n de c\u00f3digo root arbitrario. En particular, esto omite la comprobaci\u00f3n de firmas de paquetes de pacman. Esto ocurre en curl_download_internal en lib/libalpm/dload.c.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pacman_project:pacman:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.1.3\",\"matchCriteriaId\":\"53E5D4C7-A60E-4422-9168-9EBFC93FF985\"}]}]}],\"references\":[{\"url\":\"https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x\u0026id=1bf767234363f7ad5933af3f7ce267c123017bde\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x\u0026id=1bf767234363f7ad5933af3f7ce267c123017bde\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.