PackageKit relies on “transactions” as a work unit to wrap package manager actions, these transactions are created by the user and freed when no longer in use or when a terminal error is emitted. It was observed that under some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory accesses could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost. Usage of memory after it is cleaned is named Use-After-Free (UAF). The most reliable way a transaction can be made to be cleaned whilst still running is by having a task for a package backend (dnf in our case) and simultaneously causing an error or successful termination of another task for that same transaction.
Can you reference the upstream change from v1.2.7 which addresses this issue?
In reply to comment #2: > Can you reference the upstream change from v1.2.7 which addresses this issue? Although this is not a direct fix for the issue, this commit is believed to reduce impact in version 1.2.7 onward: https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79
(In reply to Pedro Sampaio from comment #3) > In reply to comment #2: > > Can you reference the upstream change from v1.2.7 which addresses this issue? > > Although this is not a direct fix for the issue, this commit is believed to > reduce impact in version 1.2.7 onward: > > https://github.com/PackageKit/PackageKit/commit/ > 64278c9127e3333342b56ead99556161f7e86f79 Thank you Pedro!
Created PackageKit tracking bugs for this issue: Affects: fedora-all [bug 2260042]
I am confused what is going on here? There doesn't seem to have been any upstream engagement about this CVE and neither I nor Matthias Klumpp have any idea what we're supposed to do here.
In reply to comment #6: > I am confused what is going on here? There doesn't seem to have been any > upstream engagement about this CVE and neither I nor Matthias Klumpp have > any idea what we're supposed to do here. I think you already did, here: https://github.com/PackageKit/PackageKit/pull/706
(In reply to Pedro Sampaio from comment #7) > In reply to comment #6: > > I am confused what is going on here? There doesn't seem to have been any > > upstream engagement about this CVE and neither I nor Matthias Klumpp have > > any idea what we're supposed to do here. > > I think you already did, here: > > https://github.com/PackageKit/PackageKit/pull/706 That PR fixed an overflow error and not a use-after-free problem in a codepath unrelated to transaction lifecycle management. It's a bug for sure, but I don't see the connection to this issue.