New upstream release.

Do not try to parse any arguments in command-not-found. Ensure we save the updates cache for the pre-transaction checks.
2011-07-04 16:40:13 +01:00 · 2011-07-04 16:40:13 +01:00 · 1a78ed2106
commit 1a78ed2106
parent 52da7c5f6d
4 changed files with 10 additions and 100 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,3 +8,4 @@ PackageKit-0.6.7.tar.bz2
 /PackageKit-0.6.13.tar.bz2
 /PackageKit-0.6.14.tar.bz2
 /PackageKit-0.6.15.tar.bz2
+/PackageKit-0.6.16.tar.xz
--- a/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
+++ b/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
@ -1,92 +0,0 @@
-From cd79fcfefc8af165faa9a320bec44ce6d1c5b125 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Fri, 1 Jul 2011 09:20:40 +0100
-Subject: [PATCH] Fix CVE-2011-2515 which affects the YUM backend
-
-In commit 290933489b1aaeb1017d10fb59ccf3231e309115, YUM changed the behaviour
-when checking signatures on a package. The commit added a new configuration key
-'localpkg_gpgcheck' which only affects local packages, but the key was set by
-default to False, unlike 'gpgcheck' which was used for local and remote
-packages before this commit.
-
-This meant that an end user could install a local unsigned rpm package using
-PackageKit without a GPG trust check, and the user would be told the untrusted
-package is itself trusted. This would cause PackageKit to use a different
-(weaker) PolicyKit authentication that what would be required of an unsigned
-package.
-
-To exploit this low-impact vulnerability, a user would have to manually
-download an unsigned package file and would still be required to authenticate
-to install the package unless this has been changed by an administrator.
-
-Now, PackageKit sets internaly 'localpkg_gpgcheck' to match 'gpgcheck' for all
-versions of yum with this new feature to match the expected behaviour.
-
-Red Hat would like to thank Peter Robinson for reporting this issue.
-
-See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2515 for more details.
-
-Fixes https://bugzilla.redhat.com/show_bug.cgi?id=717566
---
- backends/yum/yumBackend.py |   16 ++++++++++++++++
- 1 files changed, 16 insertions(+), 0 deletions(-)
-
-diff --git a/backends/yum/yumBackend.py b/backends/yum/yumBackend.py
-index d66f862..d9a293c 100755
--- a/backends/yum/yumBackend.py
-+++ b/backends/yum/yumBackend.py
-@@ -1732,8 +1732,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
-         # if only_trusted is true, it means that we will only update signed files
-         if only_trusted:
-             self.yumbase.conf.gpgcheck = 1
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 1
-         else:
-             self.yumbase.conf.gpgcheck = 0
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 0
- 
-         self.yumbase.conf.throttle = "60%" # Set bandwidth throttle to 60%
-                                            # to avoid taking all the system's bandwidth.
-@@ -1956,8 +1960,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
-         # if only_trusted is true, it means that we will only update signed files
-         if only_trusted:
-             self.yumbase.conf.gpgcheck = 1
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 1
-         else:
-             self.yumbase.conf.gpgcheck = 0
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 0
- 
-         for package_id in package_ids:
-             grp = self._is_meta_package(package_id)
-@@ -2149,8 +2157,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
-         # If only_trusted is true, it means that we will only install trusted files
-         if only_trusted or simulate:
-             self.yumbase.conf.gpgcheck = 1
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 1
-         else:
-             self.yumbase.conf.gpgcheck = 0
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 0
- 
-         # self.yumbase.installLocal fails for unsigned packages when self.yumbase.conf.gpgcheck = 1
-         # This means we don't run runYumTransaction, and don't get the GPG failure in
-@@ -2304,8 +2316,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
-         # if only_trusted is true, it means that we will only update signed files
-         if only_trusted:
-             self.yumbase.conf.gpgcheck = 1
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 1
-         else:
-             self.yumbase.conf.gpgcheck = 0
-+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
-+                self.yumbase.conf.localpkg_gpgcheck = 0
- 
-         txmbrs = []
-         try:
-- 
-1.7.5.4
-
--- a/PackageKit.spec
+++ b/PackageKit.spec
@ -2,11 +2,11 @@

 Summary:   Package management service
 Name:      PackageKit
-Version:   0.6.15
-Release:   3%{?dist}
+Version:   0.6.16
+Release:   1%{?dist}
 License:   GPLv2+ and LGPLv2+
 URL:       http://www.packagekit.org
-Source0:   http://www.packagekit.org/releases/%{name}-%{version}.tar.bz2
+Source0:   http://www.packagekit.org/releases/%{name}-%{version}.tar.xz

 # Fedora-specific: set Vendor.conf up for Fedora.
 Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
@ -14,9 +14,6 @@ Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
 # Fedora specific: the yum backend doesn't do time estimation correctly
 Patch1:    PackageKit-0.4.4-Fedora-turn-off-time.conf.patch

-# Fix for CVE-2011-2515
-Patch2:    0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
-
 Requires: PackageKit-glib = %{version}-%{release}
 Requires: PackageKit-yum = %{version}-%{release}
 Requires: shared-mime-info
@ -249,7 +246,6 @@ user to restart the computer or remove and re-insert the device.
 %setup -q
 %patch0 -p1 -b .fedora
 %patch1 -p1 -b .no-time
-%patch2 -p1 -b .cve2011-2515

 %build
 %configure \
@ -464,6 +460,11 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
 %{_includedir}/PackageKit/backend/*.h

 %changelog
+* Mon Jul 04 2011 Richard Hughes  <rhughes@redhat.com> - 0.6.16-1
+- New upstream release.
+- Do not try to parse any arguments in command-not-found.
+- Ensure we save the updates cache for the pre-transaction checks.
+
 * Fri Jul 01 2011 Richard Hughes  <rhughes@redhat.com> - 0.6.15-3
 - Upstream yum recently changed the behaviour when checking signatures
  on a package. The commit added a new configuration key which only
--- a/2
+++ b/2
@ -1 +1 @@
-432f505462a00473c941ff907d97953e  PackageKit-0.6.15.tar.bz2
+a829166f881dab2aa19e0f130ff8b33d  PackageKit-0.6.16.tar.xz