Hi Matthias, On Thu, Jan 04, 2024 at 09:30:44PM +0100, Matthias Klumpp wrote: > Hi! > > Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso > <car...@debian.org>: > > > > Source: packagekit > > Version: 1.2.6-5 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for packagekit. > > > > CVE-2024-0217[0]: > > | A use-after-free flaw was found in PackageKitd. In some conditions, > > | the order of cleanup mechanics for a transaction could be impacted. > > | As a result, some memory access could occur on memory regions that > > | were previously freed. Once freed, a memory region can be reused for > > | other allocations and any previously stored data in this memory > > | region is considered lost. > > > > The only reference know so far is [1] which say as well that the issue > > should be fixed in 1.2.7 upstream. Do you happen to know more on it? > > This might be the worst CVE I've seen in a while... PackageKit has > backends, so at the very least this CVE should state whether this > affects a backend only (in which case we might even be fine if we > don't ship it) or the daemon core, or a library. Judging from how this > is worded, it's likely one of the latter, which would be worse. > On the bug report, it is stated that "It was observed that under some > conditions, the order of cleanup mechanics for a transaction could be > impacted.", but there are no details given what these circumstances > even are. > Furthermore, Philip Withnall did quite a bit of larger rework on > PackageKit's transaction logic for 1.2.7, so whatever the issue is it > might have been accidentally fixed in a larger commit of that series. > > But tbh, this CVE is so vague that I have no idea where I'd even look > for this (unless I wanted to repeat the work that went into finding > this and create random transaction states while running with address > sanitizer on). > Let's hope the reporter replies to the request in RH bugzilla.
Thanks for the very quick reply! Ok let's see if the reporter in the Red Hat bugzilla replies to the 'needinfo' request. Will update the bug here in case I notice earlier than you. I had expected that packagekit upstream get some information as well from Red Hat, so you as well :-) Thanks a lot for your work! Regards, Salvatore
