From aa6248efef1832e8bf4fc0bf5c1e75af635f8520 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Mon, 27 Apr 2026 11:41:48 +0100
Subject: [PATCH] Fix CVE-2026-41651

Resolves: RHEL-170504
---
 ...invoking-methods-on-non-new-transact.patch | 59 +++++++++++++++++++
 PackageKit.spec                               | 10 +++-
 2 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch

diff --git a/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch b/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
new file mode 100644
index 0000000..e9fdcd3
--- /dev/null
+++ b/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
@@ -0,0 +1,59 @@
+From ac49526d53ff83762fa40f06418783883f1659fa Mon Sep 17 00:00:00 2001
+From: Matthias Klumpp <matthias@tenstral.net>
+Date: Tue, 14 Apr 2026 16:12:18 +0200
+Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
+
+This ensures that cached parameters (such a transaction flags) can not
+be changed on an already running transaction or a transaction that is
+waiting for authorization.
+
+It also prevents backwards state transitions in case a client
+misbehaves.
+---
+ src/pk-transaction.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index 5c24462c7..6120ff9fa 100644
+--- a/src/pk-transaction.c
++++ b/src/pk-transaction.c
+@@ -5264,14 +5264,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
+ 		pk_transaction_set_hints (transaction, parameters, invocation);
+ 		return;
+ 	}
+-	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+-		pk_transaction_accept_eula (transaction, parameters, invocation);
+-		return;
+-	}
+ 	if (g_strcmp0 (method_name, "Cancel") == 0) {
+ 		pk_transaction_cancel (transaction, parameters, invocation);
+ 		return;
+ 	}
++
++	/* All action methods below must only be invoked once on a new transaction.
++	 * Reject any attempt to re-invoke them after the transaction has been initialized,
++	 * preventing situations where a second D-Bus call could overwrite transaction flags
++	 * (or other cached state) after authorization has already been granted for the previous
++	 * request based on the old parameters. */
++	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
++		g_dbus_method_invocation_return_error (invocation,
++						       PK_TRANSACTION_ERROR,
++						       PK_TRANSACTION_ERROR_INVALID_STATE,
++						       "cannot call %s on transaction %s: "
++						       "already in state %s",
++						       method_name,
++						       transaction->priv->tid,
++						       pk_transaction_state_to_string (transaction->priv->state));
++		return;
++	}
++
++	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
++		pk_transaction_accept_eula (transaction, parameters, invocation);
++		return;
++	}
+ 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
+ 		pk_transaction_download_packages (transaction, parameters, invocation);
+ 		return;
+-- 
+2.53.0
+
diff --git a/PackageKit.spec b/PackageKit.spec
index d327fb6..3feb5b2 100644
--- a/PackageKit.spec
+++ b/PackageKit.spec
@@ -6,7 +6,7 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   1.2.6
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
@@ -31,6 +31,10 @@ Patch2:    shutdown-on-idle.patch
 # packagekitd[1113]: Failed to load the backend: opening module dnf failed : /usr/lib64/packagekit-backend/libpk_backend_dnf.so: undefined symbol: pk_backend_job_update_details
 Patch3:    0001-packagekitd-Use-export_dynamic-explicitly.patch
 
+# https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
+# to fix CVE-2026-41651
+Patch4:    0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc
@@ -255,6 +259,10 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.deps
 
 %changelog
+* Mon Apr 27 2026 Richard Hughes <rhughes@redhat.com> - 1.2.6-2
+- Backport fix for CVE-2026-41651.
+- Resolves: #RHEL-170504
+
 * Mon Jan 15 2024 Milan Crha <mcrha@redhat.com> - 1.2.6-1
 - Resolves: RHEL-21560 (Rebase PackageKit to 1.2.6 version)