Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U <url>" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
pacman 路径遍历漏洞
Vulnerability Description
pacman是一款使用在Linux中的软件包管理器。 pacman 5.1.3之前版本中存在安全漏洞,该漏洞源于程序没有过滤来自Content-Disposition消息报头的文件名称。攻击者可利用该漏洞执行代码。
CVSS Information
N/A
Vulnerability Type
N/A