Hi! Am Fr., 5. Jan. 2024 um 18:57 Uhr schrieb Salvatore Bonaccorso <car...@debian.org>: > [...] > Got a reply from Pedro Sampaio in > https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3 > > It is mentioned that although the following is not a direct fix for > the issue, that the commit in v1.2.7 to reduce the impact is the > following: > > https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79 > > Does that help you with your upstream hat on, and downstream in > Debian?
Not at all... I also don't know why I should hunt around the code to find an issue that someone else has found but where they don't tell me where the problem even is. The CVE page lists that commit as "patch" now, and given that emitting a finished transaction as finished multiple times could indeed cause issues (and use-after-free issues potentially as well), I am inclined to think that that's indeed the issue here and that the patch fixes it. That would mean though that all PK versions starting from and including 1.2.7 are not vulnerable... But the CVE tells otherwise. Very odd. Best, Matthias -- I welcome VSRE emails. See http://vsre.info/