Hi Matthias, On Thu, Jan 04, 2024 at 10:44:30PM +0100, Salvatore Bonaccorso wrote: > Hi Matthias, > > On Thu, Jan 04, 2024 at 09:30:44PM +0100, Matthias Klumpp wrote: > > Hi! > > > > Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso > > <car...@debian.org>: > > > > > > Source: packagekit > > > Version: 1.2.6-5 > > > Severity: important > > > Tags: security upstream > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > <t...@security.debian.org> > > > > > > Hi, > > > > > > The following vulnerability was published for packagekit. > > > > > > CVE-2024-0217[0]: > > > | A use-after-free flaw was found in PackageKitd. In some conditions, > > > | the order of cleanup mechanics for a transaction could be impacted. > > > | As a result, some memory access could occur on memory regions that > > > | were previously freed. Once freed, a memory region can be reused for > > > | other allocations and any previously stored data in this memory > > > | region is considered lost. > > > > > > The only reference know so far is [1] which say as well that the issue > > > should be fixed in 1.2.7 upstream. Do you happen to know more on it? > > > > This might be the worst CVE I've seen in a while... PackageKit has > > backends, so at the very least this CVE should state whether this > > affects a backend only (in which case we might even be fine if we > > don't ship it) or the daemon core, or a library. Judging from how this > > is worded, it's likely one of the latter, which would be worse. > > On the bug report, it is stated that "It was observed that under some > > conditions, the order of cleanup mechanics for a transaction could be > > impacted.", but there are no details given what these circumstances > > even are. > > Furthermore, Philip Withnall did quite a bit of larger rework on > > PackageKit's transaction logic for 1.2.7, so whatever the issue is it > > might have been accidentally fixed in a larger commit of that series. > > > > But tbh, this CVE is so vague that I have no idea where I'd even look > > for this (unless I wanted to repeat the work that went into finding > > this and create random transaction states while running with address > > sanitizer on). > > Let's hope the reporter replies to the request in RH bugzilla. > > Thanks for the very quick reply! > > Ok let's see if the reporter in the Red Hat bugzilla replies to the > 'needinfo' request. Will update the bug here in case I notice earlier > than you. > > I had expected that packagekit upstream get some information as well > from Red Hat, so you as well :-) > > Thanks a lot for your work!
Got a reply from Pedro Sampaio in https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3 It is mentioned that although the following is not a direct fix for the issue, that the commit in v1.2.7 to reduce the impact is the following: https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79 Does that help you with your upstream hat on, and downstream in Debian? Regards, Salvatore
