Bug 2064315 (CVE-2022-0987)

Summary: CVE-2022-0987 PackageKit: Information Disclosure in Transaction Interface via timing
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gnome-sig, jonathan, klember, matthias, rdieter, rhughes, smparrish
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2064361, 2064372, 2064373    
Bug Blocks: 2050422, 2064328    

Description Guilherme de Almeida Suckevicz 2022-03-15 14:25:33 UTC
A vulnerability was found in PackageKit in the way some of the methods exposed by the Transaction interface examine files without dropping privileges. The InstallFiles method, for example, will fail silently with a non-existing file, however if the file exists it will read the contents of the file and take longer to return than a non-existing file will. This vulnerability allows a local user to know whether a file owned by root or other users exists.

Comment 1 Guilherme de Almeida Suckevicz 2022-03-15 16:15:36 UTC
Created PackageKit tracking bugs for this issue:

Affects: fedora-all [bug 2064361]