Re: CVE Request: PackageKit"update" allows downgrade of packages when using the "zypp" backend

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/23/2013 12:34 AM, Marcus Meissner wrote:
> Hi,
>
> On openSUSE we have started to allow local logged in users to install
> online updates (but not install new packages or remove ones), as this
> seems a common and secure operation to us.
> (Also done in light of the Linus Torvalds flame posting.)
>
> PolicyKit rules in PackageKit also allow this in the vanilla version:
>       org.freedesktop.packagekit.system-update
> shipping default is "yes" for local logged-in active users.
>
>
> So far we assumed that the update operation only allows upgrading versions.
>
> The enforcement of this rule did not fully work, so at least the "zypp"
> backend of PackageKit allowed downgrade of packages using this call.
> The "update" method also allowed installing non-update resolvables like
> patterns or even new packages.
>
> We have not checked the other backends, they might also be affected.
>
> https://bugzilla.novell.com/show_bug.cgi?id=804983
> https://bugs.freedesktop.org/show_bug.cgi?id=61231
> https://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425
>
>
> As the default assumed secure behaviour is violated, this requires a CVE.
>
> Ciao, Marcus

Please use CVE-2013-1764 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRK9ZxAAoJEBYNRVNeJnmTvgUQAMcAT3QN0a6dDWzK+2Y5pJEG
ozK1TrS2/X9k5MatjGm9zfldI3Dodo8cvn++zHIWn21aRNSmUF+v5x+UNKEX/AoC
fOS8kTRSe0D+KvsaHLGmB8ZwxTl5M2kMx82cky015ZDNB77fPpsaZOCMOEmYSNlU
dt85EZkt6845sz+AEo1DaEnpvbxR3koEnA61unQUtVdbNv6xmh9WuPi7pX7vQ6Mb
UqwWFNaGeqEbiygBc6RnGatcb0iqsH3Bv9huXhHhgT+o/oBoZ9yaFka2hbuSHe6p
uOmtXiAKPItpOObUA3fHTOBXwCzF+QO+qzOzHleQotFfJCwkOHphmeDq08tZLwku
zPG7L4fB/OL6MhwxiO2cBfV3MnmwmR3km7Yv/RpQ/g+IL3DL5cerhujWT0Zn7YTU
kk5zE20baS8K4MFEEdApER3QpgNZZfnxCXRkp1gx058cvzdfrx8f9VOusSS2OLbH
+i65gTYzqhwJJVWJaCsagHh05311KkBdBtdvDhh/2GqRTsIxEKvBFZRsi4tQTc0C
twJpP63Poy2OazO76esQRG8vlt2WGggWA+E87HIp/P8s8Msz0Ezd8kJgwpU3LzXW
2Zy4mQA7dS68j2LaFy8n+nUu9EgolrsO7xSMegm1wYAFtFAEjjsemtGucvQhXR52
gIyQM7ZqELbUrWTZ9TnR
=EYRJ
-----END PGP SIGNATURE-----