Debian Bug report logs -
#1060016
packagekit: CVE-2024-0217
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Matthias Klumpp <mak@debian.org>:
Bug#1060016; Package src:packagekit.
(Thu, 04 Jan 2024 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Matthias Klumpp <mak@debian.org>.
(Thu, 04 Jan 2024 19:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: packagekit
Version: 1.2.6-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for packagekit.
CVE-2024-0217[0]:
| A use-after-free flaw was found in PackageKitd. In some conditions,
| the order of cleanup mechanics for a transaction could be impacted.
| As a result, some memory access could occur on memory regions that
| were previously freed. Once freed, a memory region can be reused for
| other allocations and any previously stored data in this memory
| region is considered lost.
The only reference know so far is [1] which say as well that the issue
should be fixed in 1.2.7 upstream. Do you happen to know more on it?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-0217
https://www.cve.org/CVERecord?id=CVE-2024-0217
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2256624
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klumpp <mak@debian.org>:
Bug#1060016; Package src:packagekit.
(Thu, 04 Jan 2024 20:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Klumpp <matthias@tenstral.net>:
Extra info received and forwarded to list. Copy sent to Matthias Klumpp <mak@debian.org>.
(Thu, 04 Jan 2024 20:33:02 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Hi!
Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
<carnil@debian.org>:
>
> Source: packagekit
> Version: 1.2.6-5
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for packagekit.
>
> CVE-2024-0217[0]:
> | A use-after-free flaw was found in PackageKitd. In some conditions,
> | the order of cleanup mechanics for a transaction could be impacted.
> | As a result, some memory access could occur on memory regions that
> | were previously freed. Once freed, a memory region can be reused for
> | other allocations and any previously stored data in this memory
> | region is considered lost.
>
> The only reference know so far is [1] which say as well that the issue
> should be fixed in 1.2.7 upstream. Do you happen to know more on it?
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.
But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.
Cheers,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klumpp <mak@debian.org>:
Bug#1060016; Package src:packagekit.
(Thu, 04 Jan 2024 20:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Klumpp <matthias@tenstral.net>:
Extra info received and forwarded to list. Copy sent to Matthias Klumpp <mak@debian.org>.
(Thu, 04 Jan 2024 20:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klumpp <mak@debian.org>:
Bug#1060016; Package src:packagekit.
(Thu, 04 Jan 2024 21:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klumpp <mak@debian.org>.
(Thu, 04 Jan 2024 21:48:04 GMT) (full text, mbox, link).
Message #20 received at 1060016@bugs.debian.org (full text, mbox, reply):
Hi Matthias,
On Thu, Jan 04, 2024 at 09:30:44PM +0100, Matthias Klumpp wrote:
> Hi!
>
> Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
> <carnil@debian.org>:
> >
> > Source: packagekit
> > Version: 1.2.6-5
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for packagekit.
> >
> > CVE-2024-0217[0]:
> > | A use-after-free flaw was found in PackageKitd. In some conditions,
> > | the order of cleanup mechanics for a transaction could be impacted.
> > | As a result, some memory access could occur on memory regions that
> > | were previously freed. Once freed, a memory region can be reused for
> > | other allocations and any previously stored data in this memory
> > | region is considered lost.
> >
> > The only reference know so far is [1] which say as well that the issue
> > should be fixed in 1.2.7 upstream. Do you happen to know more on it?
>
> This might be the worst CVE I've seen in a while... PackageKit has
> backends, so at the very least this CVE should state whether this
> affects a backend only (in which case we might even be fine if we
> don't ship it) or the daemon core, or a library. Judging from how this
> is worded, it's likely one of the latter, which would be worse.
> On the bug report, it is stated that "It was observed that under some
> conditions, the order of cleanup mechanics for a transaction could be
> impacted.", but there are no details given what these circumstances
> even are.
> Furthermore, Philip Withnall did quite a bit of larger rework on
> PackageKit's transaction logic for 1.2.7, so whatever the issue is it
> might have been accidentally fixed in a larger commit of that series.
>
> But tbh, this CVE is so vague that I have no idea where I'd even look
> for this (unless I wanted to repeat the work that went into finding
> this and create random transaction states while running with address
> sanitizer on).
> Let's hope the reporter replies to the request in RH bugzilla.
Thanks for the very quick reply!
Ok let's see if the reporter in the Red Hat bugzilla replies to the
'needinfo' request. Will update the bug here in case I notice earlier
than you.
I had expected that packagekit upstream get some information as well
from Red Hat, so you as well :-)
Thanks a lot for your work!
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 5 08:19:38 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon