CVE-2020-16122

Summary

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

Affected Software

VendorProductVersion RangeStatus
PackageKitpackagekit1.1.13-2ubuntu < 1.1.13-2ubuntu1.1affected
PackageKitpackagekit1.1.9-1ubuntu < 1.1.9-1ubuntu2.18.04.6affected
PackageKitpackagekit0.8.17-4ubuntu < 0.8.17-4ubuntu6~gcc5.4ubuntu1.5affected

Weaknesses

  • CWE-269: CWE-269 Improper Privilege Management

ADP Enrichment

CVE Program Container

Additional References

References