2064315 – (CVE-2022-0987) CVE-2022-0987 PackageKit: Information Disclosure in Transaction Interface via timing

Bug 2064315 (CVE-2022-0987) - CVE-2022-0987 PackageKit: Information Disclosure in Transaction Interface via timing

Summary: CVE-2022-0987 PackageKit: Information Disclosure in Transaction Interface via...

Keywords:
Status:	ASSIGNED
Alias:	CVE-2022-0987
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2064361 2064372 2064373
Blocks:	2050422 2064328
TreeView+	depends on / blocked

Reported:	2022-03-15 14:25 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-07-07 08:28 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-03-15 14:25:33 UTC

A vulnerability was found in PackageKit in the way some of the methods exposed by the Transaction interface examine files without dropping privileges. The InstallFiles method, for example, will fail silently with a non-existing file, however if the file exists it will read the contents of the file and take longer to return than a non-existing file will. This vulnerability allows a local user to know whether a file owned by root or other users exists.

Comment 1 Guilherme de Almeida Suckevicz 2022-03-15 16:15:36 UTC

Created PackageKit tracking bugs for this issue:

Affects: fedora-all [bug 2064361]

Note You need to log in before you can comment on or make changes to this bug.