Bug#1060016: packagekit: CVE-2024-0217

2024-02-21 Thread Moritz Muehlenhoff
On Wed, Feb 21, 2024 at 04:15:17PM +0100, Matthias Klumpp wrote: > I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not > having the bug... But then again, on another page it said that the > respective patch only lowered the impact... > I remember merging that patch, and it was a

Bug#1060016: packagekit: CVE-2024-0217

2024-02-21 Thread Matthias Klumpp
Am Mi., 21. Feb. 2024 um 16:05 Uhr schrieb Moritz Muehlenhoff : > > On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote: > > The CVE page lists that commit as "patch" now, and given that emitting > > a finished transaction as finished multiple times could indeed cause > > issues (and

Bug#1060016: packagekit: CVE-2024-0217

2024-02-21 Thread Moritz Muehlenhoff
On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote: > The CVE page lists that commit as "patch" now, and given that emitting > a finished transaction as finished multiple times could indeed cause > issues (and use-after-free issues potentially as well), I am inclined > to think that

Bug#1060016: packagekit: CVE-2024-0217

2024-02-20 Thread Matthias Klumpp
Hi! Am Fr., 5. Jan. 2024 um 18:57 Uhr schrieb Salvatore Bonaccorso : > [...] > Got a reply from Pedro Sampaio in > https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3 > > It is mentioned that although the following is not a direct fix for > the issue, that the commit in v1.2.7 to reduce the

Bug#1060016: packagekit: CVE-2024-0217

2024-01-05 Thread Salvatore Bonaccorso
Hi Matthias, On Thu, Jan 04, 2024 at 10:44:30PM +0100, Salvatore Bonaccorso wrote: > Hi Matthias, > > On Thu, Jan 04, 2024 at 09:30:44PM +0100, Matthias Klumpp wrote: > > Hi! > > > > Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso > > : > > > > > > Source: packagekit > > >

Bug#1060016: packagekit: CVE-2024-0217

2024-01-04 Thread Salvatore Bonaccorso
Hi Matthias, On Thu, Jan 04, 2024 at 09:30:44PM +0100, Matthias Klumpp wrote: > Hi! > > Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso > : > > > > Source: packagekit > > Version: 1.2.6-5 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org,

Bug#1060016: packagekit: CVE-2024-0217

2024-01-04 Thread Matthias Klumpp
Hi! Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso : > > Source: packagekit > Version: 1.2.6-5 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for packagekit. > >

Bug#1060016: packagekit: CVE-2024-0217

2024-01-04 Thread Salvatore Bonaccorso
Source: packagekit Version: 1.2.6-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for packagekit. CVE-2024-0217[0]: | A use-after-free flaw was found in PackageKitd. In some conditions, | the