PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.
A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on transaction->cached_transaction_flags combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in src/pk-transaction.c:
InstallFiles() writes caller-supplied flags to transaction->cached_transaction_flags without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.pk_transaction_set_state() silently discards backward state transitions (e.g. RUNNING → WAITING_FOR_AUTH) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.Exploitability
AV:LAC:LPR:LUI:NScope
S:CImpact
C:HI:HA:H8.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HOther