[...]
Got a reply from Pedro Sampaio in https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3
It is mentioned that although the following is not a direct fix for
the issue, that the commit in v1.2.7 to reduce the impact is the
following:
https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79
Does that help you with your upstream hat on, and downstream in
Debian?
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.
I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
having the bug... But then again, on another page it said that the
respective patch only lowered the impact...
I remember merging that patch, and it was a pretty good robustness improvement, we didn't talk about any use-after-free issue there
though (so it's not obvious why this changes anything either).
Let's see if we get a reply from the CVE reporter!
On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote:
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
Ok.
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.
But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
"unaffected at 1.2.7", which seems to be based on the git tag of
the referenced commit?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 14:08:56 |
Calls: | 6,706 |
Files: | 12,237 |
Messages: | 5,351,097 |