Reading local files as root leads to sensitive information disclosure

Bug #1888887 reported by Vaisha Bernard
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
packagekit (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hi,

The InstallFiles, GetFilesLocal and GetDetailsLocal methods of the d-bus interface to PackageKit accesses given files before checking for authorization. This allows non-privileged users to learn the MIME type of any file on the system.

Example in attached Python script:

$ python3 test_file_exists_pk.py /root/.bashrc
File exists and is of MIME type: 'text/plain'

$ python3 test_file_exists_pk.py /root/.bashrca
File does not exist

Description: Ubuntu 20.04 LTS
Release: 20.04

packagekit:
  Installed: 1.1.13-2ubuntu1
  Candidate: 1.1.13-2ubuntu1
  Version table:
 *** 1.1.13-2ubuntu1 500
        500 http://nl.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status

Kind regards,
Vaisha Bernard
EYE Control B.V.

CVE References

Revision history for this message
Vaisha Bernard (vaisha) wrote :
Changed in packagekit (Ubuntu):
status: New → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

Attached patch

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Please use CVE-2020-16121 for this issue. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package packagekit - 1.1.13-2ubuntu1.1

---------------
packagekit (1.1.13-2ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure (LP: #1888887)
    - debian/patches/CVE-2020-16121.patch: hide failures behind a single
      error message in src/pk-transaction.c.
    - CVE-2020-16121
  * SECURITY UPDATE: untrusted local file installation (LP: #1882098)
    - debian/patches/CVE-2020-16122.patch: do not trust local packages in
      backends/aptcc/apt-intf.cpp.
    - CVE-2020-16122

 -- Marc Deslauriers <email address hidden> Wed, 23 Sep 2020 06:55:22 -0400

Changed in packagekit (Ubuntu):
status: Triaged → Fix Released
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The updates for this issue have been released:

https://ubuntu.com/security/notices/USN-4538-1

Thanks!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.