Package management service
CentOS Sources
2018-04-24 796e9d1d3d0eb4dac5d0ccf9583f9b5879ca30f3
import PackageKit-1.1.5-2.el7_5
1 files added
1 files deleted
1 files modified
81 ■■■■ changed files
SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/CentOS-Vendor-Branding.patch 10 ●●●●● patch | view | raw | blame | history
SPECS/PackageKit.spec 16 ●●●●● patch | view | raw | blame | history
SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch
New file
@@ -0,0 +1,55 @@
From bb9f9a8fb451d7a2d81f7390993db75491224729 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Mon, 9 Apr 2018 16:39:56 +0100
Subject: [PATCH] Do not set JUST_REINSTALL on any kind of auth failure
If we try to continue the auth queue when it has been cancelled (or failed)
then we fall upon the obscure JUST_REINSTALL transaction flag which only the
DNF backend actually verifies.
Many thanks to Matthias Gerstner <mgerstner@suse.de> for spotting the problem.
---
 src/pk-transaction.c | 27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)
diff --git a/src/pk-transaction.c b/src/pk-transaction.c
index 1d006c782..ffee29f6f 100644
--- a/src/pk-transaction.c
+++ b/src/pk-transaction.c
@@ -2351,25 +2351,14 @@ pk_transaction_authorize_actions_finished_cb (GObject *source_object,
     /* did not auth */
     if (!polkit_authorization_result_get_is_authorized (result)) {
-        if (g_strcmp0 (action_id, "org.freedesktop.packagekit.package-install") == 0 &&
-                   pk_bitfield_contain (priv->cached_transaction_flags,
-                            PK_TRANSACTION_FLAG_ENUM_ALLOW_REINSTALL)) {
-            g_debug ("allowing just reinstallation");
-            pk_bitfield_add (priv->cached_transaction_flags,
-                     PK_TRANSACTION_FLAG_ENUM_JUST_REINSTALL);
-        } else {
-            priv->waiting_for_auth = FALSE;
-            /* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */
-            pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED);
-            pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED,
-                            "Failed to obtain authentication.");
-            pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0);
-
-            syslog (LOG_AUTH | LOG_NOTICE,
-                "uid %i failed to obtain auth",
-                priv->uid);
-            goto out;
-        }
+        priv->waiting_for_auth = FALSE;
+        /* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */
+        pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED);
+        pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED,
+                        "Failed to obtain authentication.");
+        pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0);
+        syslog (LOG_AUTH | LOG_NOTICE, "uid %i failed to obtain auth", priv->uid);
+        goto out;
     }
     if (data->actions->len <= 1) {
--
2.17.0
SOURCES/CentOS-Vendor-Branding.patch
File was deleted
SPECS/PackageKit.spec
@@ -6,13 +6,16 @@
Summary:   Package management service
Name:      PackageKit
Version:   1.1.5
Release:   1%{?dist}
Release:   2%{?dist}
License:   GPLv2+ and LGPLv2+
URL:       http://www.freedesktop.org/software/PackageKit/
Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
Patch0:    CentOS-Vendor-Branding.patch
# Fedora-specific: set Vendor.conf up for Fedora.
Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
# CVE-2018-1106
Patch1:    0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch
Requires: %{name}-glib%{?_isa} = %{version}-%{release}
Requires: PackageKit-backend
@@ -157,7 +160,8 @@
%prep
%setup -q
%patch0 -p1
%patch0 -p1 -b .fedora
%patch1 -p1 -b .CVE-2018-1106
%build
%configure \
@@ -300,9 +304,9 @@
%{_datadir}/vala/vapi/packagekit-glib2.vapi
%changelog
* Mon Jul 31 2017 CentOS Sources <bugs@centos.org> - 1.1.5-1.el7.centos
- remove old branding patch
- Update Vendor patch to reference CentOS
* Tue Apr 17 2018 Richard Hughes <rhughes@redhat.com> - 1.1.5-2
- Fixes CVE-2018-1106
- Resolves: rhbz#1566425
* Tue Feb 28 2017 Richard Hughes <rhughes@redhat.com> - 1.1.5-1
- Update to 1.1.5