2383006 – (CVE-2016-15045) CVE-2016-15045 deepin-daemon: lastore-daemon privilege escalation

Bug 2383006 (CVE-2016-15045) - CVE-2016-15045 deepin-daemon: lastore-daemon privilege escalation

Summary: CVE-2016-15045 deepin-daemon: lastore-daemon privilege escalation

Keywords:
Status:	NEW
Alias:	CVE-2016-15045
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2383132 2383131
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-23 14:01 UTC by OSIDB Bzimport
Modified:	2025-07-24 13:41 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-23 14:01:58 UTC

A local privilege escalation vulnerability exists in lastore-daemon, the system package manager daemon used in Deepin Linux (developed by Wuhan Deepin Technology Co., Ltd.). In versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7), the D-Bus configuration permits any user in the sudo group to invoke the InstallPackage method without password authentication. By default, the first user created on Deepin is in the sudo group. An attacker with shell access can craft a .deb package containing a malicious post-install script and use dbus-send to install it via lastore-daemon, resulting in arbitrary code execution as root.

Note You need to log in before you can comment on or make changes to this bug.