Fix CVE-2026-41651

Resolves: RHEL-170492
2026-04-27 10:04:33 +01:00 · 2026-04-27 10:04:33 +01:00 · 99e0f17001
commit 99e0f17001
parent acdd66c361
2 changed files with 63 additions and 0 deletions
--- a/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+++ b/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
@ -0,0 +1,59 @@
+From ac49526d53ff83762fa40f06418783883f1659fa Mon Sep 17 00:00:00 2001
+From: Matthias Klumpp <matthias@tenstral.net>
+Date: Tue, 14 Apr 2026 16:12:18 +0200
+Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
+
+This ensures that cached parameters (such a transaction flags) can not
+be changed on an already running transaction or a transaction that is
+waiting for authorization.
+
+It also prevents backwards state transitions in case a client
+misbehaves.
+---
+ src/pk-transaction.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index 5c24462c7..6120ff9fa 100644
+--- a/src/pk-transaction.c
+++ b/src/pk-transaction.c
+@@ -5264,14 +5264,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
+ 		pk_transaction_set_hints (transaction, parameters, invocation);
+ 		return;
+ 	}
+-	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+-		pk_transaction_accept_eula (transaction, parameters, invocation);
+-		return;
+-	}
+ 	if (g_strcmp0 (method_name, "Cancel") == 0) {
+ 		pk_transaction_cancel (transaction, parameters, invocation);
+ 		return;
+ 	}
+
+	/* All action methods below must only be invoked once on a new transaction.
+	 * Reject any attempt to re-invoke them after the transaction has been initialized,
+	 * preventing situations where a second D-Bus call could overwrite transaction flags
+	 * (or other cached state) after authorization has already been granted for the previous
+	 * request based on the old parameters. */
+	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
+		g_dbus_method_invocation_return_error (invocation,
+						       PK_TRANSACTION_ERROR,
+						       PK_TRANSACTION_ERROR_INVALID_STATE,
+						       "cannot call %s on transaction %s: "
+						       "already in state %s",
+						       method_name,
+						       transaction->priv->tid,
+						       pk_transaction_state_to_string (transaction->priv->state));
+		return;
+	}
+
+	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+		pk_transaction_accept_eula (transaction, parameters, invocation);
+		return;
+	}
+ 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
+ 		pk_transaction_download_packages (transaction, parameters, invocation);
+ 		return;
+-- 
+2.53.0
+
--- a/PackageKit.spec
+++ b/PackageKit.spec
@ -26,6 +26,10 @@ Patch2:    appstream-mark-pk-as-compulsory.patch
 # https://github.com/PackageKit/PackageKit/pull/774
 Patch3:    runtime-warnings.patch

+# https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
+# to fix CVE-2026-41651
+Patch4:    0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc