61231 – PackageKit "update" can downgrade packages

Bug 61231 - PackageKit "update" can downgrade packages

Summary: PackageKit "update" can downgrade packages

Status:	RESOLVED FIXED

Alias:	None

Product:	PackageKit
Classification:	Unclassified
Component:	core (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium major
Assignee:	Richard Hughes
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-02-21 14:35 UTC by Marcus Meissner
Modified:	2013-02-21 18:05 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
commandline log of the update that downgraded packages (2.15 KB, text/plain) 2013-02-21 14:35 UTC, Marcus Meissner	Details
View All

Description Marcus Meissner 2013-02-21 14:35:12 UTC

Ludwig Nussel reported during testing that "update" can downgrade packages,
while we would expect it can only upgrade packages.

In openSUSE we allow "update" for the logged in desktop user, so a local attacker could use this to install a previously fixed package with security problems and so potentially be able to exploit this older issue.


The expectation would be that "downgrading" would require ewither install or similar privileges.

Comment 1 Marcus Meissner 2013-02-21 14:35:55 UTC

Created attachment 75253 [details]
commandline log of the update that downgraded packages

commandline log of the update that downgraded packages

Comment 2 Richard Hughes 2013-02-21 15:24:27 UTC

PackageKit doesn't do any validation on the package numbers to ensure they "go up" but it's an expected thing of the backend to ensure the packages don't get downgraded.

Comment 3 Matthias Klumpp 2013-02-21 18:05:18 UTC

This has been fixed in PackageKit's Zypper backend: http://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.