PackageKit-1.2.6-2.el9_7

エラータID: AXSA:2026-537:02

Release date: 
Monday, May 4, 2026 - 17:12
Subject: 
PackageKit-1.2.6-2.el9_7
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API.

Security Fix(es):

* PackageKit: race condition vulnerability leads to arbitrary package installation as root (CVE-2026-41651)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-41651
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

Solution: 

Update packages.

CVEs: 
CVE-2026-41651
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
Additional Info: 

N/A

Download: 

SRPMS
  1. PackageKit-1.2.6-2.el9_7.src.rpm
    MD5: 7dbadafaa5cf93f2daad62baa332e78c
    SHA-256: 3ac34f3725469349bafd56a31efe041c6b8e3cd491c687ea12a549a291cbb04d
    Size: 2.66 MB

Asianux Server 9 for x86_64
  1. PackageKit-1.2.6-2.el9_7.x86_64.rpm
    MD5: 4abf18dea8a8ea82baa34b4367450c5d
    SHA-256: 4ce8712bb1f09198c61705224d3e5f72e3369a15f0389267c89abe200449564f
    Size: 641.02 kB
  2. PackageKit-command-not-found-1.2.6-2.el9_7.x86_64.rpm
    MD5: bb6142c7de70487e1009c26a269003e2
    SHA-256: 39dba829aa7e1654db1c45647ea458b7a2ef756375f8880fd26bc69b54bd76be
    Size: 20.88 kB
  3. PackageKit-glib-1.2.6-2.el9_7.i686.rpm
    MD5: 4bbb539bb5b3069f8a4c62098465e3e3
    SHA-256: 63282e62200afb7584e18ff70ef93cb115031ff5e758f8301cded37e38b271fe
    Size: 157.07 kB
  4. PackageKit-glib-1.2.6-2.el9_7.x86_64.rpm
    MD5: 2ed57bd24ccb7fbb10c03123d408fbab
    SHA-256: 2301c1cc49311749b4f8a61ab1bb472c90620de4ba34059efcf12e6af80d1d8f
    Size: 156.02 kB
  5. PackageKit-glib-devel-1.2.6-2.el9_7.i686.rpm
    MD5: 88c3afba67ddbabaf30622511366985f
    SHA-256: ce791e8799d6b029d9a89263822846e3b5def1c945dd2cb63c4b3e2b0860773e
    Size: 481.48 kB
  6. PackageKit-glib-devel-1.2.6-2.el9_7.x86_64.rpm
    MD5: 1cc995d17ba1749db455f2d637225cde
    SHA-256: f9706429c2f606c2dd52707fa8b681ccaecbac77707f58e6fc23ec033d207c0b
    Size: 481.45 kB
  7. PackageKit-gstreamer-plugin-1.2.6-2.el9_7.x86_64.rpm
    MD5: 6301fee7ba1e23e4ecee81baa0d6cbd2
    SHA-256: 6827c7071088fcb156628c1f062bd59cfdfe73343afd2b56a0f6bc58182be269
    Size: 15.82 kB
  8. PackageKit-gtk3-module-1.2.6-2.el9_7.x86_64.rpm
    MD5: 46cdceaf12307ca789c7ccd8f9ac04ec
    SHA-256: 7863bb54ef011fce60523c1d5b2baf56805ed6ddac93fe5c67c6fe6c8797c2e1
    Size: 14.37 kB