Discussion:
Bug#1060016: packagekit: CVE-2024-0217
(too old to reply)
Salvatore Bonaccorso
2024-01-04 20:00:01 UTC
Permalink
Source: packagekit
Version: 1.2.6-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: ***@debian.org, Debian Security Team <***@security.debian.org>

Hi,

The following vulnerability was published for packagekit.

CVE-2024-0217[0]:
| A use-after-free flaw was found in PackageKitd. In some conditions,
| the order of cleanup mechanics for a transaction could be impacted.
| As a result, some memory access could occur on memory regions that
| were previously freed. Once freed, a memory region can be reused for
| other allocations and any previously stored data in this memory
| region is considered lost.

The only reference know so far is [1] which say as well that the issue
should be fixed in 1.2.7 upstream. Do you happen to know more on it?


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-0217
https://www.cve.org/CVERecord?id=CVE-2024-0217
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2256624

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
Matthias Klumpp
2024-01-04 20:40:01 UTC
Permalink
Hi!

Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
Post by Salvatore Bonaccorso
Source: packagekit
Version: 1.2.6-5
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for packagekit.
| A use-after-free flaw was found in PackageKitd. In some conditions,
| the order of cleanup mechanics for a transaction could be impacted.
| As a result, some memory access could occur on memory regions that
| were previously freed. Once freed, a memory region can be reused for
| other allocations and any previously stored data in this memory
| region is considered lost.
The only reference know so far is [1] which say as well that the issue
should be fixed in 1.2.7 upstream. Do you happen to know more on it?
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.

But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.

Cheers,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
Salvatore Bonaccorso
2024-01-04 21:50:01 UTC
Permalink
Hi Matthias,
Post by Matthias Klumpp
Hi!
Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
Post by Salvatore Bonaccorso
Source: packagekit
Version: 1.2.6-5
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for packagekit.
| A use-after-free flaw was found in PackageKitd. In some conditions,
| the order of cleanup mechanics for a transaction could be impacted.
| As a result, some memory access could occur on memory regions that
| were previously freed. Once freed, a memory region can be reused for
| other allocations and any previously stored data in this memory
| region is considered lost.
The only reference know so far is [1] which say as well that the issue
should be fixed in 1.2.7 upstream. Do you happen to know more on it?
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.
But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.
Thanks for the very quick reply!

Ok let's see if the reporter in the Red Hat bugzilla replies to the
'needinfo' request. Will update the bug here in case I notice earlier
than you.

I had expected that packagekit upstream get some information as well
from Red Hat, so you as well :-)

Thanks a lot for your work!

Regards,
Salvatore
Salvatore Bonaccorso
2024-01-05 18:10:02 UTC
Permalink
Hi Matthias,
Post by Salvatore Bonaccorso
Hi Matthias,
Post by Matthias Klumpp
Hi!
Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
Post by Salvatore Bonaccorso
Source: packagekit
Version: 1.2.6-5
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for packagekit.
| A use-after-free flaw was found in PackageKitd. In some conditions,
| the order of cleanup mechanics for a transaction could be impacted.
| As a result, some memory access could occur on memory regions that
| were previously freed. Once freed, a memory region can be reused for
| other allocations and any previously stored data in this memory
| region is considered lost.
The only reference know so far is [1] which say as well that the issue
should be fixed in 1.2.7 upstream. Do you happen to know more on it?
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.
But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.
Thanks for the very quick reply!
Ok let's see if the reporter in the Red Hat bugzilla replies to the
'needinfo' request. Will update the bug here in case I notice earlier
than you.
I had expected that packagekit upstream get some information as well
from Red Hat, so you as well :-)
Thanks a lot for your work!
Got a reply from Pedro Sampaio in https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3

It is mentioned that although the following is not a direct fix for
the issue, that the commit in v1.2.7 to reduce the impact is the
following:

https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79

Does that help you with your upstream hat on, and downstream in
Debian?

Regards,
Salvatore
Matthias Klumpp
2024-02-20 21:20:01 UTC
Permalink
Hi!

Am Fr., 5. Jan. 2024 um 18:57 Uhr schrieb Salvatore Bonaccorso
Post by Salvatore Bonaccorso
[...]
Got a reply from Pedro Sampaio in https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3
It is mentioned that although the following is not a direct fix for
the issue, that the commit in v1.2.7 to reduce the impact is the
https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79
Does that help you with your upstream hat on, and downstream in
Debian?
Not at all... I also don't know why I should hunt around the code to
find an issue that someone else has found but where they don't tell me
where the problem even is.
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.

Best,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
Moritz Muehlenhoff
2024-02-21 15:10:01 UTC
Permalink
Post by Matthias Klumpp
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
Ok.
Post by Matthias Klumpp
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.
But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
"unaffected at 1.2.7", which seems to be based on the git tag of
the referenced commit?

Cheers,
Moritz
Matthias Klumpp
2024-02-21 15:20:01 UTC
Permalink
Post by Moritz Muehlenhoff
Post by Matthias Klumpp
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
Ok.
Post by Matthias Klumpp
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.
But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
"unaffected at 1.2.7", which seems to be based on the git tag of
the referenced commit?
We are all confused. Neal and I asked on the RHEL bug report again:
https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c6
We really need more information here.

I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
having the bug... But then again, on another page it said that the
respective patch only lowered the impact...
I remember merging that patch, and it was a pretty good robustness
improvement, we didn't talk about any use-after-free issue there
though (so it's not obvious why this changes anything either).

Let's see if we get a reply from the CVE reporter!
Best,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
Moritz Muehlenhoff
2024-02-21 15:40:01 UTC
Permalink
Post by Matthias Klumpp
I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
having the bug... But then again, on another page it said that the
respective patch only lowered the impact...
I remember merging that patch, and it was a pretty good robustness
improvement, we didn't talk about any use-after-free issue there
though (so it's not obvious why this changes anything either).
Let's see if we get a reply from the CVE reporter!
Sounds good. If there's no further information provided I'll mark the
entry as non actionable in the Debian security tracker and deassociate
it from https://security-tracker.debian.org/tracker/source-package/packagekit

Cheers,
Moritz
Moritz Mühlenhoff
2024-10-30 16:40:01 UTC
Permalink
Post by Moritz Muehlenhoff
Post by Matthias Klumpp
I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
having the bug... But then again, on another page it said that the
respective patch only lowered the impact...
I remember merging that patch, and it was a pretty good robustness
improvement, we didn't talk about any use-after-free issue there
though (so it's not obvious why this changes anything either).
Let's see if we get a reply from the CVE reporter!
Sounds good. If there's no further information provided I'll mark the
entry as non actionable in the Debian security tracker and deassociate
it from https://security-tracker.debian.org/tracker/source-package/packagekit
Half a year later still no actionable information was provided. I'll
go ahead and mark this as bogus in the Debian Security Tracker (so that
it no longer appears on the CVE page for packagekit).

As for this bug, I'd suggest we also simply close it?

Cheers,
Moritz

Loading...