.PackageKit.metadata

@@ -1 +0,0 @@
-c205f7299520ab19ccd08276ec13fc7e273fb3c3 SOURCES/PackageKit-1.1.12.tar.xz

SOURCES/0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch

@@ -1,59 +0,0 @@
-From ac49526d53ff83762fa40f06418783883f1659fa Mon Sep 17 00:00:00 2001
-From: Matthias Klumpp <matthias@tenstral.net>
-Date: Tue, 14 Apr 2026 16:12:18 +0200
-Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
-
-This ensures that cached parameters (such a transaction flags) can not
-be changed on an already running transaction or a transaction that is
-waiting for authorization.
-
-It also prevents backwards state transitions in case a client
-misbehaves.
----
- src/pk-transaction.c | 26 ++++++++++++++++++++++----
- 1 file changed, 22 insertions(+), 4 deletions(-)
-
-diff --git a/src/pk-transaction.c b/src/pk-transaction.c
-index 5c24462c7..6120ff9fa 100644
---- a/src/pk-transaction.c
-+++ b/src/pk-transaction.c
-@@ -5264,14 +5264,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
- 		pk_transaction_set_hints (transaction, parameters, invocation);
- 		return;
- 	}
--	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
--		pk_transaction_accept_eula (transaction, parameters, invocation);
--		return;
--	}
- 	if (g_strcmp0 (method_name, "Cancel") == 0) {
- 		pk_transaction_cancel (transaction, parameters, invocation);
- 		return;
- 	}
-+
-+	/* All action methods below must only be invoked once on a new transaction.
-+	 * Reject any attempt to re-invoke them after the transaction has been initialized,
-+	 * preventing situations where a second D-Bus call could overwrite transaction flags
-+	 * (or other cached state) after authorization has already been granted for the previous
-+	 * request based on the old parameters. */
-+	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
-+		g_dbus_method_invocation_return_error (invocation,
-+						       PK_TRANSACTION_ERROR,
-+						       PK_TRANSACTION_ERROR_INVALID_STATE,
-+						       "cannot call %s on transaction %s: "
-+						       "already in state %s",
-+						       method_name,
-+						       transaction->priv->tid,
-+						       pk_transaction_state_to_string (transaction->priv->state));
-+		return;
-+	}
-+
-+	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
-+		pk_transaction_accept_eula (transaction, parameters, invocation);
-+		return;
-+	}
- 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
- 		pk_transaction_download_packages (transaction, parameters, invocation);
- 		return;
--- 
-2.53.0
-

SPECS/PackageKit.spec

@@ -14,7 +14,7 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   1.1.12
-Release:   8%{?dist}
+Release:   7%{?dist}
 License:   GPLv2+ and LGPLv2+
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
@@ -40,10 +40,6 @@ Patch6:    0002-pk-engine-Only-set-polkit-interactive-flag-if-method.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1814820
 Patch4:    revert-shutdown-on-idle.patch
 
-# https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
-# to fix CVE-2026-41651
-Patch7:    0001-Do-not-allow-re-invoking-methods-on-non-new-transact.patch
-
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc
@@ -344,10 +340,6 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.vapi
 
 %changelog
-* Mon Apr 27 2026 Richard Hughes <rhughes@redhat.com> - 1.1.12-8
-- Backport fix for CVE-2026-41651.
-- Resolves: #RHEL-170493
-
 * Mon Apr 24 2023 Richard Hughes <rhughes@redhat.com> - 1.1.12-7
 - Backport changes for passing interactive flag to polkit calls.
 - Resolves: #2177711