[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal

Launchpad Bug Tracker 1882098 at bugs.launchpad.net
Thu Sep 24 12:56:01 UTC 2020 

This bug was fixed in the package packagekit -
0.8.17-4ubuntu6~gcc5.4ubuntu1.5

---------------
packagekit (0.8.17-4ubuntu6~gcc5.4ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: information disclosure (LP: #1888887)
    - debian/patches/CVE-2020-16121.patch: hide failures behind a single
      error message in src/pk-transaction.c.
    - CVE-2020-16121
  * SECURITY UPDATE: untrusted local file installation (LP: #1882098)
    - debian/patches/CVE-2020-16122.patch: do not trust local packages in
      backends/aptcc/apt-intf.cpp.
    - CVE-2020-16122

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Wed, 23 Sep 2020
13:23:04 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098

Title:
  Packagekit lets user install untrusted local packages in Bionic and
  Focal

Status in packagekit package in Ubuntu:
  Fix Released

Bug description:
  We have packagekit configured to allow users to install trusted
  packages from preconfigured repositories, but disallowed them to
  install any untrusted packages.

  The policykit configuration we use is following:

  [tld.univ.packagekit]
  Identity=unix-group:adm;
  Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-reinstall;org.freedesktop.packagekit.package-remove;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-update;org.freedesktop.packagekit.repair-system;
  ResultAny=auth_self
  ResultActive=auth_self
  ResultInactive=auth_self

  [tld.univ.packagekit-deny]
  Identity=unix-user:*;
  Action=org.freedesktop.packagekit.package-install-untrusted;
  ResultAny=no

  We would expect this to prevent users from installing local packages
  downloaded from random repositories, however this does not seem to be
  the case.

  pkcon install-local random_package.deb will happily prompt for the
  user to authenticate and will install the package, while pkcon
  --allow-untrusted install-local random_package.deb will prompt for
  root password, which the user does not have.

  Our initial toughts was that the issue would be in packagekitd, but
  after further investigations it looks like the issue could be in aptcc
  backend.

  We are more than happy to provide you with further details, but the
  above should be enough to reproduce the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions

More information about the foundations-bugs mailing list