Incoming details.
An authentication bypass flaw has been found in PackageKit since version 1.0.2. A local attacker can bypass the authentication in pk_transaction_authorize_actions_finished_cb function of pk-transaction.c file, and install signed packages without administrator privileges. Patch: https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697 Upstream vulnerable commit: https://github.com/hughsie/PackageKit/commit/f176976e24e8c17b80eff222572275517c16bdad
I just added 1.1.12 to the tree which ships the patch.
thank you. please drop the vulnerable.
Adding arches.
(In reply to Gilles Dartiguelongue from comment #4) > Adding arches. This package was not previously stable. So, please note that a GLSA will not be released one the new and currently not vulnerable package is stabilized.
I don't think we want to newstable it when USE=packagekit is even use.masked (not just use.stable.masked). Removing arches for reconsideration, so they don't get it done in the meantime.
Sorry for the confusion. This package (packagekit-BASE) WAS stable. Putting whiteboard back to "glsa?" state, because the noglsa decision seems to have been done on wrong assumptions. Re-CCing arches
x86 stable
(In reply to Mart Raudsepp from comment #7) > Sorry for the confusion. This package (packagekit-BASE) WAS stable. Putting > whiteboard back to "glsa?" state, because the noglsa decision seems to have > been done on wrong assumptions. > Re-CCing arches @Thomas, was this *not* a stable package when you adjusted the rating? I really don't care to dig into the history of it all right now.
amd64 stable
(In reply to Aaron Bauman from comment #9) > @Thomas, was this *not* a stable package when you adjusted the rating? When I created this bug I checked app-admin/packagekit only which never had a stable ebuild. However, Gilles added app-admin/packagekit-base and this package had stable ebuilds. Anyways, amd64 and x86 have now both stabilized =app-admin/packagekit-base-1.1.12 so the only thing left is cleanup.
Tree is clean of older revisions.
GLSA vote: No