Summary: | <app-admin/packagekit-0.8.8: "update" allows downgrade of packages when using the "zypp" backend (CVE-2013-1764) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | trivial | CC: | lxnay |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/02/23/9 | ||
Whiteboard: | ~4 [glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-02-26 09:49:32 UTC
CVE-2013-1764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1764): The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method. While the zypp backend is not enabled in gentoo ebuilds, I must have a look at gentoo and entropy backends to make sure this does not happen there too. >app-admin/packagekit-0.8.15 are in tree which mitigates this vulnerability. Additional issues would warrant a new bug.
as previous mentioned this bug is obsolete now as all packages in tree are compliant. GLSA Vote: No |