{"schema_version":"1.7.3","id":"CVE-2019-18183","published":"2020-02-24T15:15:11.457Z","modified":"2026-02-19T08:24:32.560045Z","details":"pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.","affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dbry/wavpack","events":[{"introduced":"0"},{"fixed":"e158df5353b57ac7002d5cac4b3a040eba4c0c9f"}]}],"versions":["4.70.0","4.70.0-rc","4.75.0","4.75.0-rc","4.75.2","4.80.0","4.80.0-rc","5.0.0","5.0.0-alpha","5.0.0-alpha2","5.0.0-alpha3","5.0.0-alpha4","5.0.0-alpha5","5.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18183.json","vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["239278065882486561378056075972974605625"],"threshold":0.9},"id":"CVE-2019-18183-1454053e","signature_type":"Line","signature_version":"v1","source":"https://github.com/dbry/wavpack/commit/e158df5353b57ac7002d5cac4b3a040eba4c0c9f","target":{"file":"cli/md5.h"}}]}}],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIDJ4XKBZRRVRFFGKUA3ZU6NFIP5JUG3/"},{"type":"ADVISORY","url":"https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b"},{"type":"ADVISORY","url":"https://git.archlinux.org/pacman.git/tree/lib/libalpm/sync.c?h=v5.1.3#n767"},{"type":"ADVISORY","url":"https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yaml"},{"type":"FIX","url":"https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b"},{"type":"EVIDENCE","url":"https://git.archlinux.org/pacman.git/tree/lib/libalpm/sync.c?h=v5.1.3#n767"}],"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}