From 36817d01f1b0fda17371e26cb0eb91f551df87ad Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Wed, 29 Apr 2026 12:48:40 -0400
Subject: [PATCH] import Oracle_OSS PackageKit-1.2.6-2.0.1.el9_7

---
 ...invoking-methods-on-non-new-transact.patch | 59 +++++++++++++++++++
 .../PackageKit-0.3.8-RHEL-Vendor.conf.patch   | 45 --------------
 SPECS/PackageKit.spec                         | 19 +++---
 3 files changed, 71 insertions(+), 52 deletions(-)
 create mode 100644 SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
 delete mode 100644 SOURCES/PackageKit-0.3.8-RHEL-Vendor.conf.patch

diff --git a/SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch b/SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
new file mode 100644
index 0000000..e9fdcd3
--- /dev/null
+++ b/SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
@@ -0,0 +1,59 @@
+From ac49526d53ff83762fa40f06418783883f1659fa Mon Sep 17 00:00:00 2001
+From: Matthias Klumpp <matthias@tenstral.net>
+Date: Tue, 14 Apr 2026 16:12:18 +0200
+Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
+
+This ensures that cached parameters (such a transaction flags) can not
+be changed on an already running transaction or a transaction that is
+waiting for authorization.
+
+It also prevents backwards state transitions in case a client
+misbehaves.
+---
+ src/pk-transaction.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index 5c24462c7..6120ff9fa 100644
+--- a/src/pk-transaction.c
++++ b/src/pk-transaction.c
+@@ -5264,14 +5264,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
+ 		pk_transaction_set_hints (transaction, parameters, invocation);
+ 		return;
+ 	}
+-	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+-		pk_transaction_accept_eula (transaction, parameters, invocation);
+-		return;
+-	}
+ 	if (g_strcmp0 (method_name, "Cancel") == 0) {
+ 		pk_transaction_cancel (transaction, parameters, invocation);
+ 		return;
+ 	}
++
++	/* All action methods below must only be invoked once on a new transaction.
++	 * Reject any attempt to re-invoke them after the transaction has been initialized,
++	 * preventing situations where a second D-Bus call could overwrite transaction flags
++	 * (or other cached state) after authorization has already been granted for the previous
++	 * request based on the old parameters. */
++	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
++		g_dbus_method_invocation_return_error (invocation,
++						       PK_TRANSACTION_ERROR,
++						       PK_TRANSACTION_ERROR_INVALID_STATE,
++						       "cannot call %s on transaction %s: "
++						       "already in state %s",
++						       method_name,
++						       transaction->priv->tid,
++						       pk_transaction_state_to_string (transaction->priv->state));
++		return;
++	}
++
++	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
++		pk_transaction_accept_eula (transaction, parameters, invocation);
++		return;
++	}
+ 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
+ 		pk_transaction_download_packages (transaction, parameters, invocation);
+ 		return;
+-- 
+2.53.0
+
diff --git a/SOURCES/PackageKit-0.3.8-RHEL-Vendor.conf.patch b/SOURCES/PackageKit-0.3.8-RHEL-Vendor.conf.patch
deleted file mode 100644
index 5eaec51..0000000
--- a/SOURCES/PackageKit-0.3.8-RHEL-Vendor.conf.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-diff -urNp PackageKit-0.8.14.old/etc/Vendor.conf PackageKit-0.8.14/etc/Vendor.conf
---- PackageKit-0.8.14.old/etc/Vendor.conf	2013-12-02 15:14:19.644838900 +0000
-+++ PackageKit-0.8.14/etc/Vendor.conf	2013-12-02 15:15:26.956925038 +0000
-@@ -12,7 +12,7 @@
- # If the value is set to 'none' then no link is shown.
- #
- # default=http://www.packagekit.org/pk-package-not-found.html
--DefaultUrl=http://www.packagekit.org/pk-package-not-found.html
-+DefaultUrl=https://access.redhat.com/site/solutions/537113#Missing_Package
- 
- # The URL which is shown to the user when a codec could not be found.
- # It should explain why certain codecs cannot be used, and perhaps show
-@@ -21,7 +21,7 @@ DefaultUrl=http://www.packagekit.org/pk-
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
--CodecUrl=none
-+CodecUrl=https://access.redhat.com/site/solutions/537113#Missing_Codec
- 
- # The URL which is shown to the user when hardware drivers could not be found.
- # It should explain why some hardware is not supported, and links to futher
-@@ -30,7 +30,7 @@ CodecUrl=none
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
--HardwareUrl=none
-+HardwareUrl=https://access.redhat.com/site/solutions/537113#Missing_Driver
- 
- # The URL which is shown to the user when fonts could not be found.
- # Alternatives should probably be suggested where possible.
-@@ -38,7 +38,7 @@ HardwareUrl=none
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
--FontUrl=none
-+FontUrl=https://access.redhat.com/site/solutions/537113#Missing_Font
- 
- # The URL which is shown to the user when programs handing a mime tpye could not
- # be found. It should probably explain how to use wine if the program is a
-@@ -47,4 +47,4 @@ FontUrl=none
- # If the value is set to 'none' then the value of DefaultUrl is used.
- #
- # default=none
--MimeUrl=none
-+MimeUrl=https://access.redhat.com/site/solutions/537113#Missing_MIME_Support
diff --git a/SPECS/PackageKit.spec b/SPECS/PackageKit.spec
index d327fb6..13fbb9f 100644
--- a/SPECS/PackageKit.spec
+++ b/SPECS/PackageKit.spec
@@ -6,17 +6,11 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   1.2.6
-Release:   1%{?dist}
+Release:   2.0.1%{?dist}
 License:   GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
 
-%if 0%{?fedora}
-Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
-%elif 0%{?rhel}
-Patch0:    PackageKit-0.3.8-RHEL-Vendor.conf.patch
-%endif
-
 # https://pagure.io/fedora-workstation/issue/233
 # https://github.com/PackageKit/PackageKit/pull/404
 Patch1:    package-remove-password-prompt.patch
@@ -31,6 +25,10 @@ Patch2:    shutdown-on-idle.patch
 # packagekitd[1113]: Failed to load the backend: opening module dnf failed : /usr/lib64/packagekit-backend/libpk_backend_dnf.so: undefined symbol: pk_backend_job_update_details
 Patch3:    0001-packagekitd-Use-export_dynamic-explicitly.patch
 
+# https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
+# to fix CVE-2026-41651
+Patch4:    0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc
@@ -255,6 +253,13 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.deps
 
 %changelog
+* Wed Apr 29 2026 EL Errata <el-errata_ww@oracle.com> - 1.2.6-2.0.1
+- remove RHEL vendor patch PackageKit-0.3.8-RHEL-Vendor.conf.patch
+
+* Mon Apr 27 2026 Richard Hughes <rhughes@redhat.com> - 1.2.6-2
+- Backport fix for CVE-2026-41651.
+- Resolves: #RHEL-170502
+
 * Mon Jan 15 2024 Milan Crha <mcrha@redhat.com> - 1.2.6-1
 - Resolves: RHEL-21560 (Rebase PackageKit to 1.2.6 version)