- Package:
- src:packagekit
- Source:
- src:packagekit
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-16 20:11:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for packagekit. CVE-2024-0217[0]: | A use-after-free flaw was found in PackageKitd. In some conditions, | the order of cleanup mechanics for a transaction could be impacted. | As a result, some memory access could occur on memory regions that | were previously freed. Once freed, a memory region can be reused for | other allocations and any previously stored data in this memory | region is considered lost. The only reference know so far is [1] which say as well that the issue should be fixed in 1.2.7 upstream. Do you happen to know more on it? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0217 https://www.cve.org/CVERecord?id=CVE-2024-0217 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2256624 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hi!
Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
<carnil@debian.org>:
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.
But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.
Cheers,
Matthias
Hi!
Am Do., 4. Jan. 2024 um 20:51 Uhr schrieb Salvatore Bonaccorso
<carnil@debian.org>:
This might be the worst CVE I've seen in a while... PackageKit has
backends, so at the very least this CVE should state whether this
affects a backend only (in which case we might even be fine if we
don't ship it) or the daemon core, or a library. Judging from how this
is worded, it's likely one of the latter, which would be worse.
On the bug report, it is stated that "It was observed that under some
conditions, the order of cleanup mechanics for a transaction could be
impacted.", but there are no details given what these circumstances
even are.
Furthermore, Philip Withnall did quite a bit of larger rework on
PackageKit's transaction logic for 1.2.7, so whatever the issue is it
might have been accidentally fixed in a larger commit of that series.
But tbh, this CVE is so vague that I have no idea where I'd even look
for this (unless I wanted to repeat the work that went into finding
this and create random transaction states while running with address
sanitizer on).
Let's hope the reporter replies to the request in RH bugzilla.
Cheers,
Matthias
Hi Matthias, Thanks for the very quick reply! Ok let's see if the reporter in the Red Hat bugzilla replies to the 'needinfo' request. Will update the bug here in case I notice earlier than you. I had expected that packagekit upstream get some information as well from Red Hat, so you as well :-) Thanks a lot for your work! Regards, Salvatore
Hi Matthias, Got a reply from Pedro Sampaio in https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c3 It is mentioned that although the following is not a direct fix for the issue, that the commit in v1.2.7 to reduce the impact is the following: https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79 Does that help you with your upstream hat on, and downstream in Debian? Regards, Salvatore
Hi!
Am Fr., 5. Jan. 2024 um 18:57 Uhr schrieb Salvatore Bonaccorso
<carnil@debian.org>:
Not at all... I also don't know why I should hunt around the code to
find an issue that someone else has found but where they don't tell me
where the problem even is.
The CVE page lists that commit as "patch" now, and given that emitting
a finished transaction as finished multiple times could indeed cause
issues (and use-after-free issues potentially as well), I am inclined
to think that that's indeed the issue here and that the patch fixes
it.
That would mean though that all PK versions starting from and
including 1.2.7 are not vulnerable... But the CVE tells otherwise.
Very odd.
Best,
Matthias
Ok.
But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
"unaffected at 1.2.7", which seems to be based on the git tag of
the referenced commit?
Cheers,
Moritz
Am Mi., 21. Feb. 2024 um 16:05 Uhr schrieb Moritz Muehlenhoff <jmm@inutil.org>: https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c6 We really need more information here. I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not having the bug... But then again, on another page it said that the respective patch only lowered the impact... I remember merging that patch, and it was a pretty good robustness improvement, we didn't talk about any use-after-free issue there though (so it's not obvious why this changes anything either). Let's see if we get a reply from the CVE reporter! Best, Matthias
Sounds good. If there's no further information provided I'll mark the
entry as non actionable in the Debian security tracker and deassociate
it from https://security-tracker.debian.org/tracker/source-package/packagekit
Cheers,
Moritz
Am Wed, Feb 21, 2024 at 04:27:25PM +0100 schrieb Moritz Muehlenhoff:
Half a year later still no actionable information was provided. I'll
go ahead and mark this as bogus in the Debian Security Tracker (so that
it no longer appears on the CVE page for packagekit).
As for this bug, I'd suggest we also simply close it?
Cheers,
Moritz
Hi!
Closing this bug, since even two years later we have no idea what this
issue was supposed to be about, and it confuses people who are looking
for the actual recent CVEs about PackageKit.
Sorry for all the noise!
Best,
Matthias