Bug 61231 - PackageKit "update" can downgrade packages
Summary: PackageKit "update" can downgrade packages
Alias: None
Product: PackageKit
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: Richard Hughes
QA Contact:
Depends on:
Reported: 2013-02-21 14:35 UTC by Marcus Meissner
Modified: 2013-02-21 18:05 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

commandline log of the update that downgraded packages (2.15 KB, text/plain)
2013-02-21 14:35 UTC, Marcus Meissner

Description Marcus Meissner 2013-02-21 14:35:12 UTC
Ludwig Nussel reported during testing that "update" can downgrade packages,
while we would expect it can only upgrade packages.

In openSUSE we allow "update" for the logged in desktop user, so a local attacker could use this to install a previously fixed package with security problems and so potentially be able to exploit this older issue.

The expectation would be that "downgrading" would require ewither install or similar privileges.
Comment 1 Marcus Meissner 2013-02-21 14:35:55 UTC
Created attachment 75253 [details]
commandline log of the update that downgraded packages

commandline log of the update that downgraded packages
Comment 2 Richard Hughes 2013-02-21 15:24:27 UTC
PackageKit doesn't do any validation on the package numbers to ensure they "go up" but it's an expected thing of the backend to ensure the packages don't get downgraded.
Comment 3 Matthias Klumpp 2013-02-21 18:05:18 UTC
This has been fixed in PackageKit's Zypper backend: http://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.