Hi!
Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
<car...@debian.org>:
>
> Source: packagekit
> Version: 1.2.6-5
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> <t...@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for packagekit.
>
> CVE-2024-0217[0]:
> | A use-after-free flaw was found in PackageKitd. In some conditions,
> | the order of cleanup mechanics for a transaction could be impacted.
> | As a result, some memory access could occur on memory regions that
> | were previously freed. Once freed, a memory region can be reused for
> | other allocations and any previously stored data in this memory
> | region is considered lost.
>
> The only reference know so far is [1] which say as well that the issue
> should be fixed in 1.2.7 upstream. Do you happen to know more on it?
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.
But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.
Cheers,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
