Re: Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Sandipan Roy 
Some CVEs are appeared because of this issue,
Details + Analysis found at:
https://sysdream.com/abusing-packagekit-fedora-centos-for/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Sandipan Roy 
Wheel user rule for packagekit

$ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
[sudo] password for sandipan: 
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.packagekit.package-install" ||
 action.id == "org.freedesktop.packagekit.package-remove") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Sandipan Roy 
Hello World,

I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide 
problem with PackageKit-command-not-found [1] package. 
Can you guys give some feedback if I can submit a system wide change proposal 
to remove this because its a poor system design.
By this vulnerability any wheel user can install any packages without root 
access or sudo.

Reproducer: 

Open up any bash terminal. Type in the name of a package that doesn't installed 
already (eg. nemo, irssi), I can reproduce in F36-KDE.
In workstation not reproducible.

Analysis:

$ rpm -qf /etc/profile.d/PackageKit.sh
PackageKit-command-not-found-1.2.5-1.fc36.x86_64

$ rpm -ql PackageKit-command-not-found-1.2.5-1.fc36.x86_64
/etc/PackageKit/CommandNotFound.conf
/etc/profile.d/PackageKit.sh
/usr/lib/.build-id
/usr/lib/.build-id/86
/usr/lib/.build-id/86/7d08bc388e2cd2dbb8523e0a4662e19045bf4d
/usr/libexec/pk-command-not-found

$ which command_not_found_handle
command_not_found_handle ()
{ 
local runcnf=1;
local retval=127;
[[ $- == *"i"* ]] || runcnf=0;
[[ ! -S /run/dbus/system_bus_socket ]] && runcnf=0;
[[ ! -x '/usr/libexec/packagekitd' ]] && runcnf=0;
[[ -n ${COMP_CWORD-} ]] && runcnf=0;
[[ ! -x '/usr/libexec/pk-command-not-found' ]] && runcnf=0;
if [ $runcnf -eq 1 ]; then
'/usr/libexec/pk-command-not-found' "$@";
retval=$?;
else
if [[ -n "${BASH_VERSION-}" ]]; then
printf 'bash: %s%s\n' "${1:+$1: }" "$(gettext PackageKit 'command 
not found')" 1>&2;
fi;
fi;
return $retval
}

[1] 
https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound#PackageKit_Command_Not_Found


Thanks,
Sandipan Roy
Associate Product Security Engineer
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue