1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1060016: packagekit: CVE-2024-0217

    From Matthias Klumpp@21:1/5 to All on Tue Feb 20 22:20:01 2024
    Hi!

    Am Fr., 5. Jan. 2024 um 18:57 Uhr schrieb Salvatore Bonaccorso <carnil@debian.org>:
    [...]
    Got a reply from Pedro Sampaio in https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3

    It is mentioned that although the following is not a direct fix for
    the issue, that the commit in v1.2.7 to reduce the impact is the
    following:

    https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79

    Does that help you with your upstream hat on, and downstream in
    Debian?

    Not at all... I also don't know why I should hunt around the code to
    find an issue that someone else has found but where they don't tell me
    where the problem even is.
    The CVE page lists that commit as "patch" now, and given that emitting
    a finished transaction as finished multiple times could indeed cause
    issues (and use-after-free issues potentially as well), I am inclined
    to think that that's indeed the issue here and that the patch fixes
    it.
    That would mean though that all PK versions starting from and
    including 1.2.7 are not vulnerable... But the CVE tells otherwise.
    Very odd.

    Best,
    Matthias

    --
    I welcome VSRE emails. See http://vsre.info/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Moritz Muehlenhoff@21:1/5 to Matthias Klumpp on Wed Feb 21 16:10:01 2024
    On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote:
    The CVE page lists that commit as "patch" now, and given that emitting
    a finished transaction as finished multiple times could indeed cause
    issues (and use-after-free issues potentially as well), I am inclined
    to think that that's indeed the issue here and that the patch fixes
    it.

    Ok.

    That would mean though that all PK versions starting from and
    including 1.2.7 are not vulnerable... But the CVE tells otherwise.
    Very odd.

    But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
    "unaffected at 1.2.7", which seems to be based on the git tag of
    the referenced commit?

    Cheers,
    Moritz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Moritz Muehlenhoff@21:1/5 to Matthias Klumpp on Wed Feb 21 16:40:01 2024
    On Wed, Feb 21, 2024 at 04:15:17PM +0100, Matthias Klumpp wrote:
    I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
    having the bug... But then again, on another page it said that the
    respective patch only lowered the impact...
    I remember merging that patch, and it was a pretty good robustness improvement, we didn't talk about any use-after-free issue there
    though (so it's not obvious why this changes anything either).

    Let's see if we get a reply from the CVE reporter!

    Sounds good. If there's no further information provided I'll mark the
    entry as non actionable in the Debian security tracker and deassociate
    it from https://security-tracker.debian.org/tracker/source-package/packagekit

    Cheers,
    Moritz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Matthias Klumpp@21:1/5 to All on Wed Feb 21 16:20:01 2024
    Am Mi., 21. Feb. 2024 um 16:05 Uhr schrieb Moritz Muehlenhoff <jmm@inutil.org>:

    On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote:
    The CVE page lists that commit as "patch" now, and given that emitting
    a finished transaction as finished multiple times could indeed cause
    issues (and use-after-free issues potentially as well), I am inclined
    to think that that's indeed the issue here and that the patch fixes
    it.

    Ok.

    That would mean though that all PK versions starting from and
    including 1.2.7 are not vulnerable... But the CVE tells otherwise.
    Very odd.

    But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
    "unaffected at 1.2.7", which seems to be based on the git tag of
    the referenced commit?

    We are all confused. Neal and I asked on the RHEL bug report again: https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c6
    We really need more information here.

    I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
    having the bug... But then again, on another page it said that the
    respective patch only lowered the impact...
    I remember merging that patch, and it was a pretty good robustness
    improvement, we didn't talk about any use-after-free issue there
    though (so it's not obvious why this changes anything either).

    Let's see if we get a reply from the CVE reporter!
    Best,
    Matthias

    --
    I welcome VSRE emails. See http://vsre.info/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)