[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
The updates for this issue have been released: https://ubuntu.com/security/notices/USN-4538-1 Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
This bug was fixed in the package packagekit - 0.8.17-4ubuntu6~gcc5.4ubuntu1.5 --- packagekit (0.8.17-4ubuntu6~gcc5.4ubuntu1.5) xenial-security; urgency=medium * SECURITY UPDATE: information disclosure (LP: #187) - debian/patches/CVE-2020-16121.patch: hide failures behind a single error message in src/pk-transaction.c. - CVE-2020-16121 * SECURITY UPDATE: untrusted local file installation (LP: #1882098) - debian/patches/CVE-2020-16122.patch: do not trust local packages in backends/aptcc/apt-intf.cpp. - CVE-2020-16122 -- Marc Deslauriers Wed, 23 Sep 2020 13:23:04 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
This bug was fixed in the package packagekit - 1.1.13-2ubuntu1.1 --- packagekit (1.1.13-2ubuntu1.1) focal-security; urgency=medium * SECURITY UPDATE: information disclosure (LP: #187) - debian/patches/CVE-2020-16121.patch: hide failures behind a single error message in src/pk-transaction.c. - CVE-2020-16121 * SECURITY UPDATE: untrusted local file installation (LP: #1882098) - debian/patches/CVE-2020-16122.patch: do not trust local packages in backends/aptcc/apt-intf.cpp. - CVE-2020-16122 -- Marc Deslauriers Wed, 23 Sep 2020 06:55:22 -0400 ** Changed in: packagekit (Ubuntu) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16121 ** Changed in: packagekit (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
This bug was fixed in the package packagekit - 1.1.9-1ubuntu2.18.04.6 --- packagekit (1.1.9-1ubuntu2.18.04.6) bionic-security; urgency=medium * SECURITY UPDATE: information disclosure (LP: #187) - debian/patches/CVE-2020-16121.patch: hide failures behind a single error message in src/pk-transaction.c. - CVE-2020-16121 * SECURITY UPDATE: untrusted local file installation (LP: #1882098) - debian/patches/CVE-2020-16122.patch: do not trust local packages in backends/aptcc/apt-intf.cpp. - CVE-2020-16122 -- Marc Deslauriers Wed, 23 Sep 2020 07:01:04 -0400 ** Changed in: packagekit (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
I checked the patch again on bionic, turns out I missed the packagekit restart the first time and the package postinst script for one reason or another didn't restart the daemon on my test machine as it did on focal. The patch seems to work on bionic as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Easiest is to just look at policykit log and see that it triggers the untrusted action, fwiw. IMO. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Attached patch for xenial, but I can't test it. $ pkcon install-local xterm_353-1ubuntu1_amd64.deb Installing files [=] Finished [=] Fatal error: MIME type 'application/vnd.debian.binary-package' not supported /home/jak/Downloads/xterm_353-1ubuntu1_amd64.deb (trying with a random deb, in lxd container) ** Patch added: "cve-2020-16122.patch" https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+attachment/5413547/+files/cve-2020-16122.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
I am currently preparing updates for this issue, and I just tested the bionic update that includes this patch, and it works in my environment. Could you please make sure you created the policy file ok, and have rebooted after updating packagekit? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Hi and thanks everyone! I tested the patch and it works fine on focal (packagekit-1.1.13), but even though it applies, it doesn't fix this on bionic (packagekit-1.1.9). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
On it -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Hi Julian, Could you please backport the patch in comment #9 to xenial? The code in xenial is substantially different. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Please use CVE-2020-16122 for this issue. Thanks. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16122 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
** Patch added: "0001-aptcc-Do-not-trust-local-debs-allows-root-privileges.patch" https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+attachment/5413161/+files/0001-aptcc-Do-not-trust-local-debs-allows-root-privileges.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
It asks apt if the package is trusted, and from apt's POV it is. which might or might not be good, UX wise, for apt (maybe it should also tell you that local debs are not verified), but not much of an issue there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Thanks for triaging and investigating this, Julian! A fix for at least the aptcc backend would be highly appreciated -- I'd hope the other backends will fix this on their own if they care about it. The point of packagekit+policykit is to enable people to do (at least somewhat limited) stuff without explicit root access -- otherwise you'd just give them sudo rights and be done with it. In the current situation, granting a user the right to install ("trusted") packages actually grants them rights to place arbitrary files in the filesystem and execute arbitrary code (package scripts) as root, which is at the very very least highly misleading. I took a cursory look at the earlier apt backend written in python (which is now deleted from the packagekit tree) and it at least looked like it had some logic to decide whether a package can be trusted or not so it didn't seem like checking where the package is coming from would be unprecedented. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
I found out the cause for this, but other backends are affected too probably - basically the packagekit daemon assumes that packages can be trusted themselves, so backends that do not have trust information in packages need to explicitly reject local packages as untrusted, so that PackageKit reprompts for trusted. I'm not sure how to proceed there - I can come up with a fix for aptcc, but upstream can't put in the work for other backends, but then releasing just an apt fix while other backends are vulnerable would not be a good call either. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Yup, install-local does indeed trigger package-install not package- install-untrusted Aug 28 11:28:53 jak-t480s polkitd(authority=local)[1744]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.packagekit.package-install for system-bus-name::1.535 [pkcon install-local xterm_353-1ubuntu1_amd64.deb] (owned by unix- user:jak) ** Changed in: packagekit (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Hello Seth, I can now confirm that it does not matter if the test users are in no groups. The issue persists. Lines 49 to 56 in the link I provided earlier describe the package- install-untrusted action which should be triggered when installing local packages: Install untrusted local file AFAIK this works as intended with other than aptcc backends, eg in Red Hat. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Hello Seth, the packagekit-deny rule should not be necessary, it's there to underline what is specifically not allowed. AFAIK, there are no other rules which could have granted this permission. This happens on a fresh install of Ubuntu where the above is the only modification to polkit rules. I'm on vacation since yesterday evening, so I cannot currently check if the groups have some kind of unexpected effect. See this for reference: https://github.com/hughsie/PackageKit/blob/master/policy/org.freedesktop.packagekit.policy.in The issue is that the command 'pkcon install-local evil-package-i-just- created.deb' triggers the action 'org.freedesktop.packagekit.package- install' instead of 'org.freedesktop.packagekit.package-install- untrusted' which it should. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Hello Sami, Esko, I'm not very familiar with the packagekit or policykit frameworks, so please forgive me if I'm far off course here with these thoughts: - Is the [tld.univ.packagekit-deny] rule necessary? I'd hope that this permission wouldn't be granted to anyone but admins. - Are there other rules in other files that might have granted this permission? - Does it matter if the test users are in no groups? just their own username-group? adm? sudo? - Does polkit or packagekit have a way to see which rules allow or deny any given request? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs