Bug 61231 - PackageKit "update" can downgrade packages
Summary: PackageKit "update" can downgrade packages
Status: RESOLVED FIXED
Alias: None
Product: PackageKit
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: Richard Hughes
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-21 14:35 UTC by Marcus Meissner
Modified: 2013-02-21 18:05 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
commandline log of the update that downgraded packages (2.15 KB, text/plain)
2013-02-21 14:35 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-02-21 14:35:12 UTC
Ludwig Nussel reported during testing that "update" can downgrade packages,
while we would expect it can only upgrade packages.

In openSUSE we allow "update" for the logged in desktop user, so a local attacker could use this to install a previously fixed package with security problems and so potentially be able to exploit this older issue.


The expectation would be that "downgrading" would require ewither install or similar privileges.
Comment 1 Marcus Meissner 2013-02-21 14:35:55 UTC
Created attachment 75253 [details]
commandline log of the update that downgraded packages

commandline log of the update that downgraded packages
Comment 2 Richard Hughes 2013-02-21 15:24:27 UTC
PackageKit doesn't do any validation on the package numbers to ensure they "go up" but it's an expected thing of the backend to ensure the packages don't get downgraded.
Comment 3 Matthias Klumpp 2013-02-21 18:05:18 UTC
This has been fixed in PackageKit's Zypper backend: http://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.