Security Problem with "PackageKit-command-not-found" package

"Sandipan Roy" <bytehackr@xxxxxxxxxxxxxxxxx> · Thu, 25 Aug 2022 11:20:46 -0000

Hello World,

I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide problem with PackageKit-command-not-found [1] package. 
Can you guys give some feedback if I can submit a system wide change proposal to remove this because its a poor system design.
By this vulnerability any wheel user can install any packages without root access or sudo.

Reproducer: 

Open up any bash terminal. Type in the name of a package that doesn't installed already (eg. nemo, irssi), I can reproduce in F36-KDE.
In workstation not reproducible.

Analysis:

$ rpm -qf /etc/profile.d/PackageKit.sh
PackageKit-command-not-found-1.2.5-1.fc36.x86_64

$ rpm -ql PackageKit-command-not-found-1.2.5-1.fc36.x86_64
/etc/PackageKit/CommandNotFound.conf
/etc/profile.d/PackageKit.sh
/usr/lib/.build-id
/usr/lib/.build-id/86
/usr/lib/.build-id/86/7d08bc388e2cd2dbb8523e0a4662e19045bf4d
/usr/libexec/pk-command-not-found

$ which command_not_found_handle
command_not_found_handle ()
{ 
    local runcnf=1;
    local retval=127;
    [[ $- == *"i"* ]] || runcnf=0;
    [[ ! -S /run/dbus/system_bus_socket ]] && runcnf=0;
    [[ ! -x '/usr/libexec/packagekitd' ]] && runcnf=0;
    [[ -n ${COMP_CWORD-} ]] && runcnf=0;
    [[ ! -x '/usr/libexec/pk-command-not-found' ]] && runcnf=0;
    if [ $runcnf -eq 1 ]; then
        '/usr/libexec/pk-command-not-found' "$@";
        retval=$?;
    else
        if [[ -n "${BASH_VERSION-}" ]]; then
            printf 'bash: %s%s\n' "${1:+$1: }" "$(gettext PackageKit 'command not found')" 1>&2;
        fi;
    fi;
    return $retval
}

[1] https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound#PackageKit_Command_Not_Found

Thanks,
Sandipan Roy
Associate Product Security Engineer
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue