
CVE-2019-18183 (2019) - arthur2e5
https://security.archlinux.org/CVE-2019-18183
======
arthur2e5
TL;DR: Pacman did a

    
    
        snprintf(command, PATH_MAX, "xdelta3 -d -q -s %s %s %s", from, delta, to);
        system(command);
    

And to fix it, they removed the delta update feature.

* * *

They removed a feature that _could_ work well over something someone did
incorrectly. You don't even need to go full-on execvp and dup2 to fix this
problem:

* it is super easy to escape a string for POSIX shell: wrap the thing in single-quotes, replace the single-quotes in-between with '\''

* it is not hard to verify that snprintf has enough space: just assert(snprintf(bleh, size, ...) < size).

