Bug 61231

Summary: PackageKit "update" can downgrade packages
Product: PackageKit Reporter: Marcus Meissner <meissner>
Component: coreAssignee: Richard Hughes <richard>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium CC: ludwig.nussel
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: commandline log of the update that downgraded packages

Description Marcus Meissner 2013-02-21 14:35:12 UTC 
Ludwig Nussel reported during testing that "update" can downgrade packages,
while we would expect it can only upgrade packages.

In openSUSE we allow "update" for the logged in desktop user, so a local attacker could use this to install a previously fixed package with security problems and so potentially be able to exploit this older issue.


The expectation would be that "downgrading" would require ewither install or similar privileges.
Comment 1 Marcus Meissner 2013-02-21 14:35:55 UTC 
Created attachment 75253 [details]
commandline log of the update that downgraded packages

commandline log of the update that downgraded packages
Comment 2 Richard Hughes 2013-02-21 15:24:27 UTC 
PackageKit doesn't do any validation on the package numbers to ensure they "go up" but it's an expected thing of the backend to ensure the packages don't get downgraded.
Comment 3 Matthias Klumpp 2013-02-21 18:05:18 UTC 
This has been fixed in PackageKit's Zypper backend: http://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.