PackageKit-1.2.6-2.el9_8
エラータID: AXSA:2026-1214:03
PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API.
Security Fix(es):
* PackageKit: race condition vulnerability leads to arbitrary package installation as root (CVE-2026-41651)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-41651
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
Update packages.
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
N/A
SRPMS
- PackageKit-1.2.6-2.el9_8.src.rpm
MD5: 96cab443afa839253d0b0e302d79952c
SHA-256: c70aecad67e0578c524e3b60731cbe121ac85cf1b3d303b940345ab115268193
Size: 2.66 MB
Asianux Server 9 for x86_64
- PackageKit-1.2.6-2.el9_8.x86_64.rpm
MD5: 7b454111e33e495cd7b41cc2ffc9da59
SHA-256: 0a2505bc1b6627badf48d8dc223426d99f4a13d7d0e2c2ba72cabe63a9de5192
Size: 640.82 kB - PackageKit-command-not-found-1.2.6-2.el9_8.x86_64.rpm
MD5: 6a6417a5c5880df0457dba1796eb4621
SHA-256: 023efbee6373735649015636cb022c9fb067e47393b6b173c6040b26580067f1
Size: 20.87 kB - PackageKit-glib-1.2.6-2.el9_8.i686.rpm
MD5: ffce1b5a05bce96b3da6e3f6fa3aee9a
SHA-256: d01ed85da808e58cb65d5243347d2d544eea05dabea103e314c3c1a130db3af7
Size: 156.79 kB - PackageKit-glib-1.2.6-2.el9_8.x86_64.rpm
MD5: af36bad3e8ac7f48f326f1918a9a8ee6
SHA-256: 2bd8de2d284d02205dcd792434f7b936744c7c815259dffcb506b2e607f0c9c9
Size: 155.63 kB - PackageKit-glib-devel-1.2.6-2.el9_8.i686.rpm
MD5: 933b6c545d865a3a087d39e0c3e0e20e
SHA-256: 26af3501cf64b106934a8120d5a68259ca4a633babfd0821eb16ab3f2a812e2a
Size: 481.48 kB - PackageKit-glib-devel-1.2.6-2.el9_8.x86_64.rpm
MD5: b0c3c0a3a5e00fa716c98d9fa7a12a17
SHA-256: ec3bc735faefc27155c1f3277053a3c2aab75f2f1eb1149a4f441b3dba0dfc1b
Size: 481.45 kB - PackageKit-gstreamer-plugin-1.2.6-2.el9_8.x86_64.rpm
MD5: 70c3cce3f7a9af785c536765b2640243
SHA-256: 5fb63c475a000efcb577a8fcce9a7e6162bbf50d6c4afa99ccbf7b8458a1bada
Size: 15.82 kB - PackageKit-gtk3-module-1.2.6-2.el9_8.x86_64.rpm
MD5: 268a90f55879e7ed84589991ff2a89fe
SHA-256: ba19f1dda5b4abda76c2e554e5cca84917477129dbd978498bf353e525c44d2c
Size: 14.37 kB