[packagekit] Using old insecure libraries

Richard Hughes hughsient at gmail.com
Fri Jul 10 08:37:01 PDT 2009 

Say for instance that a remote denial of service was found in the
libgphoto2 library. Distros would rush to patch the flaw, and push
updates to repositories, and in an ideal world users would have the
updates automatically installed using PackageKit later that day. Then
we all feel better, and move on to the next problem.

Except we can't. As any application that was opened before the
automatic update was done is still using the old version of the
library. This means that until the processes are restarted, then the
machine is still exploitable. For a session process you could probably
just log out and back in, but for system stuff you would need to
instruct the user to do a reboot. There's no way a gphoto update could
trigger "unrelated" packages such as totem or nautilus to be
restarted.

So, how do we detect this and deal with this situation? Well, when the
session does:

UpdatePackages(gphoto2)

the packagekitd daemon can actually do (psuedo code, would actually be
in C, and in PkPostTrans class:

# get affected shared libraries
affected_files = []
updates = GetUpdates()
for each update in updates:
  if package matches gphoto2:
    if a security update:
      files = GetFiles(update)
      for file in files:
        if file not in affected_files:
          add file to affected_files

# get affected pids
affected_pids = []
for file in files:
  if prefix(/lib) or prefix (/usr/lib):
    if suffix(.so*):
      pids = fuser -m file
      for pid in pids:
        if pid not in affected_pids:
          add pid to affected_pids

# send restart required for the correct package and type
for pid in affected_pids:
  uid = get_uid_for_pid(pid)
  exe = get_exe_for_pid(pid)
  package = SearchFile(exe)
  if (uid < 500)
    ::RestartRequired(system, package)
  else
    ::RestartRequired(session, package)

# actually do the update
UpdatePackages(gphoto2)

Now, this works well when we are just using PackageKit to update the
system. If we go behind PackageKit's back, and do a apt-get upgrade or
a yum update, this code isn't going to be run. In this case we could
play with the output of "lsof +XL -F nf" and search for the DEL
entries, although I'm not sure where in the system this would fit, or
if this is good idea.

I do think we need something to detect the shared library restarts,
especially on corporate or secure desktops.

Comments and feedback welcome.

Richard.

More information about the PackageKit mailing list