PackageKit-1.1.12-8.el8_10
エラータID: AXSA:2026-529:01
PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API.
Security Fix(es):
* PackageKit: race condition vulnerability leads to arbitrary package installation as root (CVE-2026-41651)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-41651
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
Update packages.
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
N/A
SRPMS
- PackageKit-1.1.12-8.el8_10.src.rpm
MD5: 4daa902108888aaed2290a5f7d131cab
SHA-256: 0d0e12cfc11770109a21e563e25ae7c1deb799f42083abe96b6e1515561785ef
Size: 1.39 MB
Asianux Server 8 for x86_64
- PackageKit-1.1.12-8.el8_10.i686.rpm
MD5: 80432dd47c88e055bb3f05fa1e8e85e2
SHA-256: f25d616f1ccfb4acd4686749c6352c73a116eece1c608322b626ef9e7e987f0a
Size: 608.37 kB - PackageKit-1.1.12-8.el8_10.x86_64.rpm
MD5: 9e35e35af89f35f21836f616510ada36
SHA-256: 5f682fc05255d9b4be640f684d46da1b1ed7899a8bd472ad8becb7016e696aad
Size: 597.55 kB - PackageKit-command-not-found-1.1.12-8.el8_10.x86_64.rpm
MD5: 8f0c0ef563df33183bec42ced4de56ea
SHA-256: 4d0ef4650b18e238d161f63b9bb50783164b8476020c5d6a3af31e4b343dafda
Size: 25.52 kB - PackageKit-cron-1.1.12-8.el8_10.x86_64.rpm
MD5: 87a13c07fda106a960338517daf0a011
SHA-256: 88e0934b1ca0e08af2feabc7439a0c85f7f2b95387d25863846ecc0878d61da4
Size: 8.52 kB - PackageKit-glib-1.1.12-8.el8_10.i686.rpm
MD5: 2b82cb0818ec0dc68d1acd112d79b575
SHA-256: d0254b14807f8c76fa79201fcd5a7ce8742f687158335864fbf03bf33a20498b
Size: 138.95 kB - PackageKit-glib-1.1.12-8.el8_10.x86_64.rpm
MD5: faac8483cb587e12ea87f6a1a10231e2
SHA-256: bc5af212144d5729ddbf5a035a7139fe38aecab7a59b4359d4762fdf829045c5
Size: 138.70 kB - PackageKit-glib-devel-1.1.12-8.el8_10.i686.rpm
MD5: 2a788dae49fec1c76e10f6eaee489554
SHA-256: b867cb07bd79748c1de72263ff71a83d403f0d55388b34aa0a352efdedd85db8
Size: 448.63 kB - PackageKit-glib-devel-1.1.12-8.el8_10.x86_64.rpm
MD5: 8b0f5b4ca85011eec37379a70368648d
SHA-256: 6512712ffc388bdf78da10e5e1146d11754136c148050d489741821508e9e1fa
Size: 448.62 kB - PackageKit-gstreamer-plugin-1.1.12-8.el8_10.x86_64.rpm
MD5: eb5987dafd2c7df30e9390233b196f85
SHA-256: fe8c5d1400345bbd6bb0d94a2885b1d20c3ec4cbc01221508f599863309e2113
Size: 15.80 kB - PackageKit-gtk3-module-1.1.12-8.el8_10.i686.rpm
MD5: cf112faf8c2c9030d44bd3100ea20269
SHA-256: db452957cf2613928da5225253bb22e5131c011f0c467de41f683198b32a28e2
Size: 16.85 kB - PackageKit-gtk3-module-1.1.12-8.el8_10.x86_64.rpm
MD5: f5d09e9bb3c8ab7905dafed90be0b7c3
SHA-256: b9d9d1a2defeb666a52cfe398b3e2aefe2814341b9474ad31274acff163b8deb
Size: 16.64 kB