Bug 20498 - [cve 13] [cve 21] packagekit CVE-2026-41651
Summary: [cve 13] [cve 21] packagekit CVE-2026-41651
Status: RESOLVED FIXED
Alias: None
Product: ROSA Fresh
Classification: ROSA-based products
Component: Packages from Main (show other bugs)
Version: All
Hardware: All Linux
: High critical
Target Milestone: ---
Assignee: ROSA Linux Bugs
URL:
Whiteboard:
: 20277 (view as bug list)
Depends on:
Blocks:
 
Reported: 2026-04-24 12:21 MSK by Mikhail Novosyolov
Modified: 2026-04-24 13:23 MSK (History)
1 user (show)

See Also:
Platform: ROSA13
ROSA Vulnerability identifier:
RPM Package:
Upstream:
m.novosyolov: secteam_verified?
m.novosyolov: published+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Novosyolov 2026-04-24 12:21:31 MSK 
********** QA ADVISORY **********

rosa13:
packagekit 1.3.5-1
- updated from 1.3.1 to 1.3.5
- fixed CVE-2026-41651

https://abf.io/build_lists/5575218
https://abf.io/build_lists/5575219
https://abf.io/build_lists/5575220
https://abf.io/build_lists/5575221
Comment 1 Aleksandr Proklov 2026-04-24 12:26:05 MSK 
*** Bug 20277 has been marked as a duplicate of this bug. ***
Comment 2 Mikhail Novosyolov 2026-04-24 12:36:34 MSK 
rosa2021.1:

packagekit 1.1.13-6
- backported fix of CVE-2026-41651
https://abf.io/build_lists/5575223
https://abf.io/build_lists/5575224
https://abf.io/build_lists/5575225
Comment 3 Mikhail Novosyolov 2026-04-24 13:04:12 MSK 
********* Tested *********
Comment 4 Mikhail Novosyolov 2026-04-24 13:22:39 MSK 
Было:
$ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
[sudo] пароль для mikhailnov: 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.package-install" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

Стало:
$ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
// Allows users belonging to privileged groups to trigger system updates
// without a password prompt.

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.system-update" ||
         action.id == "org.freedesktop.packagekit.trigger-offline-update" ||
         action.id == "org.freedesktop.packagekit.trigger-offline-upgrade") &&
         subject.active == true && subject.local == true &&
         (subject.isInGroup("wheel") || subject.isInGroup("sudo"))) {
            return polkit.Result.YES;
    }
});

Теперь "pkcon install xxx" запрашивает пароль, но обновления системы наоборот стали без пароля. Для консистентности со Светофором и остальными местами в системе правильнее, чтобы в обоих случаях запрашивался пароль.

Выделены подпакеты:
packagekit-wheel-update-no-password - новый вариант правила
packagekit-wheel-install-no-password - старый вариант правила
Их можно поставить одновременно, не конфликтуют.
по умолчанию ни один из них не будет установлен.