Bug 22947

Summary: packagekit new security issue CVE-2018-1106
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, ngompa13, smelror
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: packagekit-1.1.9-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-04-23 23:10:02 CEST 
SUSE has issued an advisory today (April 23):
https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00064.html

I'm not 100% clear on what our exposure to this is, but much detail is in the SUSE bug:
https://bugzilla.suse.com/1086936

Mageia 6 is also potentially affected.
Comment 1 Marja Van Waes 2018-04-24 06:41:10 CEST 
Assigning to the registered maintainer, CC'ing two recent committers.

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11, ngompa13, smelror

Comment 2 Marja Van Waes 2018-04-24 06:58:32 CEST 
This bug report was discussed in #mageia-dev last night, the conclusion was that we're not vulnerable.

I don't think Neal and David will mind if I C&P those comments:

2018:04:23:23:10 < Luigi12_work> Pharaoh_Atem: what's your opinion on this?  https://bugs.mageia.org/show_bug.cgi?id=22947
<snip> 
2018:04:23:23:16 < Pharaoh_Atem> according to hughsie, dnf was not vulnerable: 
https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697
<snip>
2018:04:23:23:18 < Pharaoh_Atem> if we still had the urpmi backend enabled in Mageia 6 or Cauldron, this would be a problem
2018:04:23:23:18 < Pharaoh_Atem> but we don't, so it turns out to not matter
2018:04:23:23:19 < Luigi12_work> Pharaoh_Atem: so it sounds like we're OK.  Would you mind making that statement on the bug and closing it as INVALID?  Since you're the expert on this stuff, would carry more weight.
2018:04:23:23:19 < Pharaoh_Atem> yeah
2018:04:23:23:19 < Pharaoh_Atem> as soon as I can actually log into mgabz :/

Closing.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 3 David Walser 2018-04-24 22:27:23 CEST 
RedHat has issued an advisory for this today (April 24):
https://access.redhat.com/errata/RHSA-2018:1224

I guess it's because they're using yum and not dnf.
Comment 4 Neal Gompa 2018-04-25 04:51:06 CEST 
Yeah, Red Hat had the PackageKit-Hif backend for a while as an option, but removed it. Both Hif and DNF backends were not vulnerable, but every other backend is.
Comment 5 David Walser 2018-04-28 12:08:19 CEST 
Fedora has issued an advisory for this on April 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LVDLEEAY64RYVJIR4LIWUYZ2564A345V/

I thought they weren't affected?
Comment 6 Neal Gompa 2018-07-04 18:44:04 CEST 
They weren't, but PackageKit 1.1.10 was released, so they did it anyway.

In any case, this doesn't affect us.