[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Julian Andres Klode
1882098 at bugs.launchpad.net
Tue Sep 1 13:57:40 UTC 2020
I found out the cause for this, but other backends are affected too probably
- basically the packagekit daemon assumes that packages can be trusted themselves,
so backends that do not have trust information in packages need to explicitly
reject local packages as untrusted, so that PackageKit reprompts for trusted.
I'm not sure how to proceed there - I can come up with a fix for aptcc, but
upstream can't put in the work for other backends, but then releasing just an
apt fix while other backends are vulnerable would not be a good call either.
--
You received this bug notification because you are a member of
PackageKit-Team, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install untrusted local packages in Bionic and
Focal
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions
More information about the Ubuntu-reviews
mailing list