Summary: | <app-admin/packagekit-base-1.1.12: authentication bypass allows to install signed packages without administrator privileges (CVE-2018-1106) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | gnome, mudler, whissi |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2018/04/23/3 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=app-admin/packagekit-base-1.1.12 amd64 x86
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2018-04-12 21:24:54 UTC
An authentication bypass flaw has been found in PackageKit since version 1.0.2. A local attacker can bypass the authentication in pk_transaction_authorize_actions_finished_cb function of pk-transaction.c file, and install signed packages without administrator privileges. Patch: https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697 Upstream vulnerable commit: https://github.com/hughsie/PackageKit/commit/f176976e24e8c17b80eff222572275517c16bdad I just added 1.1.12 to the tree which ships the patch. thank you. please drop the vulnerable. Adding arches. (In reply to Gilles Dartiguelongue from comment #4) > Adding arches. This package was not previously stable. So, please note that a GLSA will not be released one the new and currently not vulnerable package is stabilized. I don't think we want to newstable it when USE=packagekit is even use.masked (not just use.stable.masked). Removing arches for reconsideration, so they don't get it done in the meantime. Sorry for the confusion. This package (packagekit-BASE) WAS stable. Putting whiteboard back to "glsa?" state, because the noglsa decision seems to have been done on wrong assumptions. Re-CCing arches x86 stable (In reply to Mart Raudsepp from comment #7) > Sorry for the confusion. This package (packagekit-BASE) WAS stable. Putting > whiteboard back to "glsa?" state, because the noglsa decision seems to have > been done on wrong assumptions. > Re-CCing arches @Thomas, was this *not* a stable package when you adjusted the rating? I really don't care to dig into the history of it all right now. amd64 stable (In reply to Aaron Bauman from comment #9) > @Thomas, was this *not* a stable package when you adjusted the rating? When I created this bug I checked app-admin/packagekit only which never had a stable ebuild. However, Gilles added app-admin/packagekit-base and this package had stable ebuilds. Anyways, amd64 and x86 have now both stabilized =app-admin/packagekit-base-1.1.12 so the only thing left is cleanup. Tree is clean of older revisions. GLSA vote: No |