An authentication bypass flaw has been found in PackageKit since version 1.0.2.
A local attacker can bypass the authentication in
pk_transaction_authorize_actions_finished_cb function of pk-transaction.c file,
and install signed packages without administrator privileges.
Upstream vulnerable commit:
Name: Matthias Gerstner (SUSE)
This appears to be very similar to a previously rejected vulnerability from 2014. How does this differ from the "grinch" vulnerability?
Though, as said in your sources, PackageKit+PolKit allow a wheel member to install packages without inserting any password, we don't consider that a vulnerability, but it is one of the reasons of PackageKit existence. Instead the current CVE is about a complete authentication bypass, even for non-members of the wheel group.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:1224 https://access.redhat.com/errata/RHSA-2018:1224