The updates for this issue have been released:
https://ubuntu.com/security/notices/USN-4538-1
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
This bug was fixed in the package packagekit - 1.1.13-2ubuntu1.1
---
packagekit (1.1.13-2ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: information disclosure (LP: #187)
- debian/patches/CVE-2020-16121.patch: hide failures behind a single
error message
This bug was fixed in the package packagekit -
0.8.17-4ubuntu6~gcc5.4ubuntu1.5
---
packagekit (0.8.17-4ubuntu6~gcc5.4ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: information disclosure (LP: #187)
- debian/patches/CVE-2020-16121.patch: hide failures behind a
This bug was fixed in the package packagekit - 1.1.9-1ubuntu2.18.04.6
---
packagekit (1.1.9-1ubuntu2.18.04.6) bionic-security; urgency=medium
* SECURITY UPDATE: information disclosure (LP: #187)
- debian/patches/CVE-2020-16121.patch: hide failures behind a single
I checked the patch again on bionic, turns out I missed the packagekit
restart the first time and the package postinst script for one reason or
another didn't restart the daemon on my test machine as it did on focal.
The patch seems to work on bionic as well.
--
You received this bug
Attached patch for xenial, but I can't test it.
$ pkcon install-local xterm_353-1ubuntu1_amd64.deb
Installing files [=]
Finished [=]
Fatal error: MIME type 'application/vnd.debian.binary-package'
Easiest is to just look at policykit log and see that it triggers the
untrusted action, fwiw. IMO.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
I am currently preparing updates for this issue, and I just tested the
bionic update that includes this patch, and it works in my environment.
Could you please make sure you created the policy file ok, and have
rebooted after updating packagekit?
--
You received this bug notification because
Hi and thanks everyone!
I tested the patch and it works fine on focal (packagekit-1.1.13), but
even though it applies, it doesn't fix this on bionic
(packagekit-1.1.9).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
On it
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install untrusted local packages in Bionic and
Focal
Status in packagekit
Hi Julian,
Could you please backport the patch in comment #9 to xenial? The code in
xenial is substantially different.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
Please use CVE-2020-16122 for this issue. Thanks.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16122
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install untrusted local packages in Bionic and
Focal
Status
** Patch added:
"0001-aptcc-Do-not-trust-local-debs-allows-root-privileges.patch"
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+attachment/5413161/+files/0001-aptcc-Do-not-trust-local-debs-allows-root-privileges.patch
--
You received this bug notification because you
It asks apt if the package is trusted, and from apt's POV it is. which
might or might not be good, UX wise, for apt (maybe it should also tell
you that local debs are not verified), but not much of an issue there.
--
You received this bug notification because you are a member of Ubuntu
Touch
Thanks for triaging and investigating this, Julian!
A fix for at least the aptcc backend would be highly appreciated -- I'd
hope the other backends will fix this on their own if they care about
it.
The point of packagekit+policykit is to enable people to do (at least
somewhat limited) stuff
I found out the cause for this, but other backends are affected too probably
- basically the packagekit daemon assumes that packages can be trusted
themselves,
so backends that do not have trust information in packages need to explicitly
reject local packages as untrusted, so that PackageKit
Yup, install-local does indeed trigger package-install not package-
install-untrusted
Aug 28 11:28:53 jak-t480s polkitd(authority=local)[1744]: Operator of
unix-session:2 FAILED to authenticate to gain authorization for action
org.freedesktop.packagekit.package-install for system-bus-name::1.535
Hello Seth,
I can now confirm that it does not matter if the test users are in no
groups.
The issue persists.
Lines 49 to 56 in the link I provided earlier describe the package-
install-untrusted action which should be triggered when installing local
packages:
Install untrusted local
Hello Seth,
the packagekit-deny rule should not be necessary, it's there to
underline what is specifically not allowed.
AFAIK, there are no other rules which could have granted this
permission. This happens on a fresh install of Ubuntu where the above is
the only modification to polkit rules.
Hello Sami, Esko,
I'm not very familiar with the packagekit or policykit frameworks, so
please forgive me if I'm far off course here with these thoughts:
- Is the [tld.univ.packagekit-deny] rule necessary? I'd hope that this
permission wouldn't be granted to anyone but admins.
- Are there other
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install
22 matches
Mail list logo
