Bug 2064315 (CVE-2022-0987) - CVE-2022-0987 PackageKit: Information Disclosure in Transaction Interface via timing
Summary: CVE-2022-0987 PackageKit: Information Disclosure in Transaction Interface via...
Keywords:
Status: ASSIGNED
Alias: CVE-2022-0987
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2064361 2064372 2064373
Blocks: 2050422 2064328
TreeView+ depends on / blocked
 
Reported: 2022-03-15 14:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-03-18 16:19 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-03-15 14:25:33 UTC
A vulnerability was found in PackageKit in the way some of the methods exposed by the Transaction interface examine files without dropping privileges. The InstallFiles method, for example, will fail silently with a non-existing file, however if the file exists it will read the contents of the file and take longer to return than a non-existing file will. This vulnerability allows a local user to know whether a file owned by root or other users exists.

Comment 1 Guilherme de Almeida Suckevicz 2022-03-15 16:15:36 UTC
Created PackageKit tracking bugs for this issue:

Affects: fedora-all [bug 2064361]


Note You need to log in before you can comment on or make changes to this bug.