Comment 1 Thomas Deutschmann (RETIRED) 2018-04-25 14:30:36 UTC

An authentication bypass flaw has been found in PackageKit since version 1.0.2.
A local attacker can bypass the authentication in
pk_transaction_authorize_actions_finished_cb function of pk-transaction.c file,
and install signed packages without administrator privileges.

Patch:
https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697

Upstream vulnerable commit:
https://github.com/hughsie/PackageKit/commit/f176976e24e8c17b80eff222572275517c16bdad

Comment 2 Gilles Dartiguelongue (RETIRED) 2018-12-12 14:24:16 UTC

I just added 1.1.12 to the tree which ships the patch.

Comment 3 Aaron Bauman (RETIRED) 2018-12-12 22:25:45 UTC

thank you.  please drop the vulnerable.

Comment 4 Gilles Dartiguelongue (RETIRED) 2018-12-13 09:24:45 UTC

Adding arches.

Comment 5 Aaron Bauman (RETIRED) 2018-12-13 10:35:12 UTC

(In reply to Gilles Dartiguelongue from comment #4)
> Adding arches.

This package was not previously stable. So, please note that a GLSA will not be released one the new and currently not vulnerable package is stabilized.

Comment 6 Mart Raudsepp 2018-12-13 11:48:48 UTC

I don't think we want to newstable it when USE=packagekit is even use.masked (not just use.stable.masked). Removing arches for reconsideration, so they don't get it done in the meantime.

Comment 7 Mart Raudsepp 2018-12-13 13:09:38 UTC

Sorry for the confusion. This package (packagekit-BASE) WAS stable. Putting whiteboard back to "glsa?" state, because the noglsa decision seems to have been done on wrong assumptions.
Re-CCing arches

Comment 8 Thomas Deutschmann (RETIRED) 2018-12-14 02:14:21 UTC

x86 stable

Comment 9 Aaron Bauman (RETIRED) 2018-12-14 04:24:08 UTC

(In reply to Mart Raudsepp from comment #7)
> Sorry for the confusion. This package (packagekit-BASE) WAS stable. Putting
> whiteboard back to "glsa?" state, because the noglsa decision seems to have
> been done on wrong assumptions.
> Re-CCing arches

@Thomas, was this *not* a stable package when you adjusted the rating?

I really don't care to dig into the history of it all right now.

Comment 10 Mikle Kolyada (RETIRED) 2018-12-15 11:52:41 UTC

amd64 stable

Comment 11 Thomas Deutschmann (RETIRED) 2018-12-16 23:44:09 UTC

(In reply to Aaron Bauman from comment #9)
> @Thomas, was this *not* a stable package when you adjusted the rating?

When I created this bug I checked app-admin/packagekit only which never had a stable ebuild. However, Gilles added app-admin/packagekit-base and this package had stable ebuilds.

Anyways, amd64 and x86 have now both stabilized =app-admin/packagekit-base-1.1.12 so the only thing left is cleanup.

Comment 12 Gilles Dartiguelongue (RETIRED) 2018-12-29 10:39:07 UTC

Tree is clean of older revisions.

Comment 13 Mikle Kolyada (RETIRED) 2018-12-29 10:49:20 UTC

GLSA vote: No