Packagekit Project

packagekit_project

8 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (8)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-41651 1Packagekit Project 1Packagekit May 5, 2026 Apr 22, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a...Show more PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.Show less
CVE-2024-0217 3Fedoraproject Packagekit ProjectRedhat 3Enterprise Linux FedoraPackagekit Nov 21, 2024 Jan 3, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously f...Show more A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.Show less
CVE-2022-0987 2Packagekit Project Redhat 2Enterprise Linux Packagekit Nov 21, 2024 Jun 28, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file ow...Show more A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.Show less
CVE-2020-16122 2Canonical Packagekit Project 2Packagekit Ubuntu Linux Nov 21, 2024 Nov 7, 2020 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may al...Show more PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.Show less
CVE-2020-16121 2Canonical Packagekit Project 2Packagekit Ubuntu Linux Nov 21, 2024 Nov 7, 2020 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 PackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own.
CVE-2011-2515 3Debian Packagekit ProjectRedhat 3Debian Linux Enterprise Linux ServerPackagekit Nov 21, 2024 Nov 27, 2019 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code.
CVE-2018-1106 4Canonical DebianPackagekit Project+1 more 9Debian Linux Enterprise Linux DesktopEnterprise Linux Server+6 more Nov 21, 2024 Apr 23, 2018 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable pa...Show more An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system.Show less
CVE-2013-1764 1Packagekit Project 1Packagekit May 6, 2026 Apr 16, 2014 N/A· v4 N/A· v3 2.1 LOW· v2 The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method.