Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security bugs CVE-2020-16121 and aptcc specific CVE-2020-16122 #433

Merged
merged 2 commits into from
Sep 25, 2020
Merged

Security bugs CVE-2020-16121 and aptcc specific CVE-2020-16122 #433

merged 2 commits into from
Sep 25, 2020

Conversation

julian-klode
Copy link
Contributor

@julian-klode julian-klode commented Sep 24, 2020
edited
Loading

Vaisha Bernard discovered that PackageKit incorrectly handled certain
methods. A local attacker could use this issue to learn the MIME type of
any file on the system. (CVE-2020-16121)

https://bugs.launchpad.net/bugs/1888887

Sami Niemimäki discovered that PackageKit incorrectly handled local deb
packages. A local user could possibly use this issue to install untrusted
packages, contrary to expectations. (CVE-2020-16122)

https://bugs.launchpad.net/bugs/1882098

@dantti
Copy link
Collaborator

dantti commented Sep 24, 2020

+1 by me

hughsie
hughsie reviewed Sep 24, 2020
View reviewed changes
src/pk-transaction.c Outdated Show resolved Hide resolved
@KexyBiscuit KexyBiscuit mentioned this pull request Sep 25, 2020
Closed
8 tasks
@julian-klode
aptcc: Do not trust local debs (CVE-2020-16122)
8581b77 
Debs do not have signatures on their own, so they are always
untrusted.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1882098
@julian-klode
Information disclosure in InstallFiles, GetFilesLocal and GetDetailsL…
7bd7a17 
…ocal (CVE-2020-16121)

These functions revealed existence and content type of files, which
allows a non-root user to check existence and content type of any
file on the system, regardless of permission, as the checks are
performed as root.

A correct fix would move those checks into the client, and pass an
fd to the daemon. Here we just hide which failure it is, which we
would need to do anyway, but don't provide an improved version as
that's out of scope for a security issue and requires changes the
reverse dependencies using those functions.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1888887
@julian-klode
Copy link
Contributor Author

Addressed review comments.

@hughsie hughsie merged commit d5e8c59 into PackageKit:master Sep 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hughsie hughsie hughsie left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@julian-klode @dantti @hughsie