import Oracle_OSS PackageKit-1.2.6-2.0.1.el9_7

2026-04-29 12:48:40 -04:00 · 2026-04-29 12:48:40 -04:00 · 36817d01f1
commit 36817d01f1
parent f08a2d93b2
3 changed files with 71 additions and 52 deletions
--- a/SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+++ b/SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
@ -0,0 +1,59 @@
+From ac49526d53ff83762fa40f06418783883f1659fa Mon Sep 17 00:00:00 2001
+From: Matthias Klumpp <matthias@tenstral.net>
+Date: Tue, 14 Apr 2026 16:12:18 +0200
+Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
+
+This ensures that cached parameters (such a transaction flags) can not
+be changed on an already running transaction or a transaction that is
+waiting for authorization.
+
+It also prevents backwards state transitions in case a client
+misbehaves.
+---
+ src/pk-transaction.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index 5c24462c7..6120ff9fa 100644
+--- a/src/pk-transaction.c
+++ b/src/pk-transaction.c
+@@ -5264,14 +5264,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
+ 		pk_transaction_set_hints (transaction, parameters, invocation);
+ 		return;
+ 	}
+-	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+-		pk_transaction_accept_eula (transaction, parameters, invocation);
+-		return;
+-	}
+ 	if (g_strcmp0 (method_name, "Cancel") == 0) {
+ 		pk_transaction_cancel (transaction, parameters, invocation);
+ 		return;
+ 	}
+
+	/* All action methods below must only be invoked once on a new transaction.
+	 * Reject any attempt to re-invoke them after the transaction has been initialized,
+	 * preventing situations where a second D-Bus call could overwrite transaction flags
+	 * (or other cached state) after authorization has already been granted for the previous
+	 * request based on the old parameters. */
+	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
+		g_dbus_method_invocation_return_error (invocation,
+						       PK_TRANSACTION_ERROR,
+						       PK_TRANSACTION_ERROR_INVALID_STATE,
+						       "cannot call %s on transaction %s: "
+						       "already in state %s",
+						       method_name,
+						       transaction->priv->tid,
+						       pk_transaction_state_to_string (transaction->priv->state));
+		return;
+	}
+
+	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+		pk_transaction_accept_eula (transaction, parameters, invocation);
+		return;
+	}
+ 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
+ 		pk_transaction_download_packages (transaction, parameters, invocation);
+ 		return;
+-- 
+2.53.0
+
--- a/SOURCES/PackageKit-0.3.8-RHEL-Vendor.conf.patch
+++ b/SOURCES/PackageKit-0.3.8-RHEL-Vendor.conf.patch
@ -1,45 +0,0 @@
-diff -urNp PackageKit-0.8.14.old/etc/Vendor.conf PackageKit-0.8.14/etc/Vendor.conf
--- PackageKit-0.8.14.old/etc/Vendor.conf	2013-12-02 15:14:19.644838900 +0000
-+++ PackageKit-0.8.14/etc/Vendor.conf	2013-12-02 15:15:26.956925038 +0000
-@@ -12,7 +12,7 @@
- # If the value is set to 'none' then no link is shown.
- #
- # default=http://www.packagekit.org/pk-package-not-found.html
-DefaultUrl=http://www.packagekit.org/pk-package-not-found.html
-+DefaultUrl=https://access.redhat.com/site/solutions/537113#Missing_Package
- 
- # The URL which is shown to the user when a codec could not be found.
- # It should explain why certain codecs cannot be used, and perhaps show
-@@ -21,7 +21,7 @@ DefaultUrl=http://www.packagekit.org/pk-
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
-CodecUrl=none
-+CodecUrl=https://access.redhat.com/site/solutions/537113#Missing_Codec
- 
- # The URL which is shown to the user when hardware drivers could not be found.
- # It should explain why some hardware is not supported, and links to futher
-@@ -30,7 +30,7 @@ CodecUrl=none
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
-HardwareUrl=none
-+HardwareUrl=https://access.redhat.com/site/solutions/537113#Missing_Driver
- 
- # The URL which is shown to the user when fonts could not be found.
- # Alternatives should probably be suggested where possible.
-@@ -38,7 +38,7 @@ HardwareUrl=none
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
-FontUrl=none
-+FontUrl=https://access.redhat.com/site/solutions/537113#Missing_Font
- 
- # The URL which is shown to the user when programs handing a mime tpye could not
- # be found. It should probably explain how to use wine if the program is a
-@@ -47,4 +47,4 @@ FontUrl=none
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
-MimeUrl=none
-+MimeUrl=https://access.redhat.com/site/solutions/537113#Missing_MIME_Support
--- a/SPECS/PackageKit.spec
+++ b/SPECS/PackageKit.spec
@ -6,17 +6,11 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   1.2.6
-Release:   1%{?dist}
+Release:   2.0.1%{?dist}
 License:   GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz

-%if 0%{?fedora}
-Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
-%elif 0%{?rhel}
-Patch0:    PackageKit-0.3.8-RHEL-Vendor.conf.patch
-%endif
-
 # https://pagure.io/fedora-workstation/issue/233
 # https://github.com/PackageKit/PackageKit/pull/404
 Patch1:    package-remove-password-prompt.patch
@ -31,6 +25,10 @@ Patch2:    shutdown-on-idle.patch
 # packagekitd[1113]: Failed to load the backend: opening module dnf failed : /usr/lib64/packagekit-backend/libpk_backend_dnf.so: undefined symbol: pk_backend_job_update_details
 Patch3:    0001-packagekitd-Use-export_dynamic-explicitly.patch

+# https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
+# to fix CVE-2026-41651
+Patch4:    0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc
@ -255,6 +253,13 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.deps

 %changelog
+* Wed Apr 29 2026 EL Errata <el-errata_ww@oracle.com> - 1.2.6-2.0.1
+- remove RHEL vendor patch PackageKit-0.3.8-RHEL-Vendor.conf.patch
+
+* Mon Apr 27 2026 Richard Hughes <rhughes@redhat.com> - 1.2.6-2
+- Backport fix for CVE-2026-41651.
+- Resolves: #RHEL-170502
+
 * Mon Jan 15 2024 Milan Crha <mcrha@redhat.com> - 1.2.6-1
 - Resolves: RHEL-21560 (Rebase PackageKit to 1.2.6 version)