Hi!
Am Fr., 5. Jan. 2024 um 18:57 Uhr schrieb Salvatore Bonaccorso
<car...@debian.org>:
> [...]
> Got a reply from Pedro Sampaio in
> https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3
>
> It is mentioned that although the following is not a direct fix for
> the issue, that the commit in v1.2.7 to reduce the impact is the
> following:
>
> https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79
>
> Does that help you with your upstream hat on, and downstream in
> Debian?
Not at all... I also don't know why I should hunt around the code to
find an issue that someone else has found but where they don't tell me
where the problem even is.
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.
Best,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
