From 99e0f17001cc6e4c00decfab6e800d7c8836d905 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Mon, 27 Apr 2026 10:04:33 +0100
Subject: [PATCH] Fix CVE-2026-41651

Resolves: RHEL-170492
---
 ...invoking-methods-on-non-new-transact.patch | 59 +++++++++++++++++++
 PackageKit.spec                               |  4 ++
 2 files changed, 63 insertions(+)
 create mode 100644 0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch

diff --git a/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch b/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
new file mode 100644
index 0000000..e9fdcd3
--- /dev/null
+++ b/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
@@ -0,0 +1,59 @@
+From ac49526d53ff83762fa40f06418783883f1659fa Mon Sep 17 00:00:00 2001
+From: Matthias Klumpp <matthias@tenstral.net>
+Date: Tue, 14 Apr 2026 16:12:18 +0200
+Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
+
+This ensures that cached parameters (such a transaction flags) can not
+be changed on an already running transaction or a transaction that is
+waiting for authorization.
+
+It also prevents backwards state transitions in case a client
+misbehaves.
+---
+ src/pk-transaction.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index 5c24462c7..6120ff9fa 100644
+--- a/src/pk-transaction.c
++++ b/src/pk-transaction.c
+@@ -5264,14 +5264,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
+ 		pk_transaction_set_hints (transaction, parameters, invocation);
+ 		return;
+ 	}
+-	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+-		pk_transaction_accept_eula (transaction, parameters, invocation);
+-		return;
+-	}
+ 	if (g_strcmp0 (method_name, "Cancel") == 0) {
+ 		pk_transaction_cancel (transaction, parameters, invocation);
+ 		return;
+ 	}
++
++	/* All action methods below must only be invoked once on a new transaction.
++	 * Reject any attempt to re-invoke them after the transaction has been initialized,
++	 * preventing situations where a second D-Bus call could overwrite transaction flags
++	 * (or other cached state) after authorization has already been granted for the previous
++	 * request based on the old parameters. */
++	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
++		g_dbus_method_invocation_return_error (invocation,
++						       PK_TRANSACTION_ERROR,
++						       PK_TRANSACTION_ERROR_INVALID_STATE,
++						       "cannot call %s on transaction %s: "
++						       "already in state %s",
++						       method_name,
++						       transaction->priv->tid,
++						       pk_transaction_state_to_string (transaction->priv->state));
++		return;
++	}
++
++	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
++		pk_transaction_accept_eula (transaction, parameters, invocation);
++		return;
++	}
+ 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
+ 		pk_transaction_download_packages (transaction, parameters, invocation);
+ 		return;
+-- 
+2.53.0
+
diff --git a/PackageKit.spec b/PackageKit.spec
index 81c6d35..2e98f98 100644
--- a/PackageKit.spec
+++ b/PackageKit.spec
@@ -26,6 +26,10 @@ Patch2:    appstream-mark-pk-as-compulsory.patch
 # https://github.com/PackageKit/PackageKit/pull/774
 Patch3:    runtime-warnings.patch
 
+# https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
+# to fix CVE-2026-41651
+Patch4:    0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc