- Package:
- src:packagekit
- Source:
- src:packagekit
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-06-17 21:59:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for packagekit. You are obviously aware, but for tracking I'm also filing this in the BTS. CVE-2026-10294[0]: | A vulnerability has been found in PackageKit up to 1.3.5. Affected | is the function g_file_test of the file src/pk-transaction.c of the | component API. Such manipulation of the argument frontend-socket | leads to improper authorization. The attack can be executed | remotely. The exploit has been disclosed to the public and may be | used. https://github.com/PackageKit/PackageKit/issues/969 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-10294 https://www.cve.org/CVERecord?id=CVE-2026-10294 Please adjust the affected versions in the BTS as needed.
Hi!
I am aware, and the issue will be addressed in some form with the next
release. This issue is so incredibly minor though that I wouldn't even
have classified it as a security issue (it allows you to figure out if
a file exists on the system if you know its exact path, and that's it.
All you do is gain a little bit of information about the system).
So yeah, will be addressed, but ironically the fix is more dangerous
that the issue itself because we may break legitimate usecases if we
aren't careful. Because of the extra testing this needs, it hasn't
been resolved yet (but will be soon).
Cheers,
Matthias
Hi!
I am aware, and the issue will be addressed in some form with the next
release. This issue is so incredibly minor though that I wouldn't even
have classified it as a security issue (it allows you to figure out if
a file exists on the system if you know its exact path, and that's it.
All you do is gain a little bit of information about the system).
So yeah, will be addressed, but ironically the fix is more dangerous
that the issue itself because we may break legitimate usecases if we
aren't careful. Because of the extra testing this needs, it hasn't
been resolved yet (but will be soon).
Cheers,
Matthias
We believe that the bug you reported is fixed in the latest version of
packagekit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138711@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klumpp <mak@debian.org> (supplier of updated packagekit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 16 Jun 2026 22:06:36 +0200
Source: packagekit
Architecture: source
Version: 1.3.6-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klumpp <mak@debian.org>
Changed-By: Matthias Klumpp <mak@debian.org>
Closes: 1138711
Changes:
packagekit (1.3.6-1) unstable; urgency=medium
.
* New upstream version: 1.3.6
- Resolves an information leak by not following socket symlinks
(Closes: #1138711, CVE-2026-10294)
Checksums-Sha1:
ad5437ff71a1dd377558b3791705d8bfb830cc87 3215 packagekit_1.3.6-1.dsc
c0f13d642d36c344d18c82a05c279750f1cacd1a 2981140 packagekit_1.3.6.orig.tar.xz
9865e246fbd12410c6189c6e80b30e9ebe44518a 833 packagekit_1.3.6.orig.tar.xz.asc
5f2ac8e32c244c6558543b2546742fd89b629d5e 25832 packagekit_1.3.6-1.debian.tar.xz
f825c491cdf488682950ce9496ccd3d78a2fb1c4 19326 packagekit_1.3.6-1_source.buildinfo
Checksums-Sha256:
3d71676f5c69355fec84280bb1b4e6661f9bd80bf41ccad3a236174117d2afd3 3215 packagekit_1.3.6-1.dsc
a3458173efd3c3d0e2d049b95be26300f37c96219314164da2bd6778546a3d51 2981140 packagekit_1.3.6.orig.tar.xz
79ef06c3cc59dff2d104c8ddd8da591d1a1a6837b88318b46442f485eea59cb6 833 packagekit_1.3.6.orig.tar.xz.asc
571230ceb8ed2b76cfd05a3f29db5f42b046839cd42a5b55a4cfa975db6a9409 25832 packagekit_1.3.6-1.debian.tar.xz
5601d04c19d8be903ff48497ac660c080d43d06e10f59292f7042c75377d8bb5 19326 packagekit_1.3.6-1_source.buildinfo
Files:
69f8c06589fe9277923733d0944ec2e6 3215 admin optional packagekit_1.3.6-1.dsc
232ce76a1c3b9aef9bc25142183791e4 2981140 admin optional packagekit_1.3.6.orig.tar.xz
ce1ac227474b54569e92cf5f1beb7c56 833 admin optional packagekit_1.3.6.orig.tar.xz.asc
6a393c035dbd32aea9df14a426f10d93 25832 admin optional packagekit_1.3.6-1.debian.tar.xz
e49c3ef1c0b447d07b1c535611f0105f 19326 admin optional packagekit_1.3.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEE0zo/DKFrCsxRpgc4SUyKX79N7OsFAmoxsEsPHG1ha0BkZWJp
YW4ub3JnAAoJEElMil+/TezrcREQAItQQ+rx5pftZdigPnJ9xInmO5HZwfw1FxwP
5vzYAqfRJBZZfum5QveKB8ySZvtDuD7fQmIliHsCmXcDF96IAW3WI8Ez/7ZUDLRH
AQLfpGHfVeEQwRzmUnH5458DqLwRugYxH8k2FNohhnJ8M9+lST/t6nv480X2qgYm
KBc8YB0lTtws0ejDoEObG/EZei0Wax+mZoXNxB+MEgVWss1wAVYpIa0tILIkOegY
jCi3l9L9++p3dLg8n4r3uNTArL5wiuAE1cApzZEA+nFFcsUGtbfqDQkGA7unoPo8
t/fF8s8J+ndxwNTi8ZhGzXcO77eQs90wP9MxXgo8EU2md5a5ZDfirLlU/RewGCAo
ZNtR3h2LL7/4CoaYCIbOjFiUFHJdIF0uAk99JWIB2NLbGyA+RPUkFOp9bNMY5a/+
s4xjhB++2wuS5exsvYzSfTyknmq1PeCke5LdhzDZhCQahJx3Islz0VJACgu5hoIJ
wUmTFMR/HSmlf0tgpEdKGk7Dw7K8FCUIewU2cuTk8YW7718YhOollwQKxIpt0Coy
UdD81ZQXM7/RFMx1lxyFyYqtL0KHD/2Fi9tHSGXHpsT8OPYd23atVloBINLpNu9K
jBeHCmYsZISg0QHMKxC2pAsRKquNBOn/RbtoIKxsRFpUZYs7FOthaw3dMvWQ6J74
S7nFDnge
=uOIa
-----END PGP SIGNATURE-----
Am Sat, Jun 13, 2026 at 02:50:11AM +0200 schrieb Matthias Klumpp:
If the impact is that limited and if there is a risk of regressions
we can also simply mark is as being of negligible impact and ignore
it for released distros.
Cheers,
Moritz
Am Mi., 17. Juni 2026 um 22:49 Uhr schrieb Moritz Mühlenhoff <jmm@inutil.org>:
The impact is basically "figure out if a file exists that you know the
exact path of beforehand". It is information a non-root user shouldn't
have, but can't be exploited for anything else on its own.
The patch should be safe, but I would still give it a week, to see if
there are any issues with Debconf handling in PK. Then it makes sense
to backport, I think.
Cheers,
Matthias