From e8c2ac34f90003d6d568612a7ad3faa0366353e8 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Mon, 22 Jun 2026 11:46:01 +0800 Subject: [PATCH] Update to 1.3.5 (fixes CVE-2026-41651) --- ...gekitd-Use-export_dynamic-explicitly.patch | 28 ---- ...eKit-1.3.5-dnf-backend-optional-deps.patch | 88 ++++++++++ PackageKit-1.3.5-idle-timeout-default.patch | 24 +++ ...kageKit-1.3.5-remove-password-prompt.patch | 26 ++- PackageKit.spec | 37 +++-- shutdown-on-idle.patch | 156 ------------------ sources | 2 +- 7 files changed, 145 insertions(+), 216 deletions(-) delete mode 100644 0001-packagekitd-Use-export_dynamic-explicitly.patch create mode 100644 PackageKit-1.3.5-dnf-backend-optional-deps.patch create mode 100644 PackageKit-1.3.5-idle-timeout-default.patch rename package-remove-password-prompt.patch => PackageKit-1.3.5-remove-password-prompt.patch (50%) delete mode 100644 shutdown-on-idle.patch diff --git a/0001-packagekitd-Use-export_dynamic-explicitly.patch b/0001-packagekitd-Use-export_dynamic-explicitly.patch deleted file mode 100644 index 4a16757..0000000 --- a/0001-packagekitd-Use-export_dynamic-explicitly.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 70594bbe7b3c61b7f9fe58cb77ddaeb630e7276f Mon Sep 17 00:00:00 2001 -From: Dominique Leuenberger -Date: Mon, 17 Jul 2023 15:24:14 +0200 -Subject: [PATCH] packagekitd: Use export_dynamic explicitly - -We used to get that implicitly through GModule .pc file defining -Wl,--export-dynamic so that modules could reference symbols in the main executable. - -With newer GLib including glib@11bdd6fc the gmodule .pc file will no longer define this compiler flag in a way that works for us, resulting in errors like: -packagekitd[2394]: Failed to load the backend: opening module zypp failed : /usr/lib64/packagekit-backend/libpk_backend_zypp.so: undefined symbol: pk_backend_job_require_restart ---- - src/meson.build | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/meson.build b/src/meson.build -index cae73380e..a47169c2b 100644 ---- a/src/meson.build -+++ b/src/meson.build -@@ -76,6 +76,7 @@ packagekitd_exec = executable( - ], - install: true, - install_dir: get_option('libexecdir'), -+ export_dynamic: true, - c_args: [ - '-DPK_BUILD_DAEMON=1', - '-DG_LOG_DOMAIN="PackageKit"', --- -2.41.0 - diff --git a/PackageKit-1.3.5-dnf-backend-optional-deps.patch b/PackageKit-1.3.5-dnf-backend-optional-deps.patch new file mode 100644 index 0000000..bc438fc --- /dev/null +++ b/PackageKit-1.3.5-dnf-backend-optional-deps.patch @@ -0,0 +1,88 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: PkgAgent Robot +Date: Mon, 22 Jun 2026 10:56:00 +0800 +Subject: [PATCH] Make libdnf5 and sdbus-c++ optional in dnf backend + +Adapted-by: PkgAgent/deepseek-v4 (needed for OCS which lacks libdnf5-devel) + +--- + backends/dnf/meson.build | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/backends/dnf/meson.build b/backends/dnf/meson.build +index 6efde8f..51b8d0e 100644 +--- a/backends/dnf/meson.build ++++ b/backends/dnf/meson.build +@@ -1,10 +1,8 @@ + appstream_dep = dependency('appstream', version: '>=0.14.0') + dnf_dep = dependency('libdnf', version: '>=0.43.1') +-dnf5_dep = dependency('libdnf5') +-libdnf5_version = dnf5_dep.version().split('.') ++dnf5_dep = dependency('libdnf5', required: false) + rpm_dep = dependency('rpm') +-sdbus_cpp_dep = dependency('sdbus-c++') +-sdbus_cpp_version = sdbus_cpp_dep.version().split('.') ++sdbus_cpp_dep = dependency('sdbus-c++', required: false) + c_args = ['-DG_LOG_DOMAIN="PackageKit-DNF"'] + + if meson.get_compiler('c').has_function('hy_query_get_advisory_pkgs', prefix: '#include ', dependencies: dnf_dep) +@@ -24,31 +22,35 @@ install_data( + install_dir: join_paths(python_package_dir), + ) + +-add_languages('cpp', native: false) +-shared_module( +- 'notify_packagekit', +- 'notify_packagekit.cpp', +- cpp_args: [ +- '-std=c++20', +- '-DLIBDNF5_VERSION_MAJOR=' + libdnf5_version[0], +- '-DLIBDNF5_VERSION_MINOR=' + libdnf5_version[1], +- '-DLIBDNF5_VERSION_PATCH=' + libdnf5_version[2], +- '-DSDBUSCPP_VERSION_MAJOR=' + sdbus_cpp_version[0], +- ], +- include_directories: packagekit_glib2_includes, +- dependencies: [ +- dnf5_dep, +- sdbus_cpp_dep, +- ], +- name_prefix: '', +- install: true, +- install_dir: get_option('libdir') / 'libdnf5/plugins/', +-) ++if dnf5_dep.found() and sdbus_cpp_dep.found() ++ libdnf5_version = dnf5_dep.version().split('.') ++ sdbus_cpp_version = sdbus_cpp_dep.version().split('.') ++ add_languages('cpp', native: false) ++ shared_module( ++ 'notify_packagekit', ++ 'notify_packagekit.cpp', ++ cpp_args: [ ++ '-std=c++20', ++ '-DLIBDNF5_VERSION_MAJOR=' + libdnf5_version[0], ++ '-DLIBDNF5_VERSION_MINOR=' + libdnf5_version[1], ++ '-DLIBDNF5_VERSION_PATCH=' + libdnf5_version[2], ++ '-DSDBUSCPP_VERSION_MAJOR=' + sdbus_cpp_version[0], ++ ], ++ include_directories: packagekit_glib2_includes, ++ dependencies: [ ++ dnf5_dep, ++ sdbus_cpp_dep, ++ ], ++ name_prefix: '', ++ install: true, ++ install_dir: get_option('libdir') / 'libdnf5/plugins/', ++ ) + +-install_data( +- 'notify_packagekit.conf', +- install_dir: get_option('sysconfdir') / 'dnf/libdnf5-plugins/' +-) ++ install_data( ++ 'notify_packagekit.conf', ++ install_dir: get_option('sysconfdir') / 'dnf/libdnf5-plugins/' ++ ) ++endif + + shared_module( + 'pk_backend_dnf', diff --git a/PackageKit-1.3.5-idle-timeout-default.patch b/PackageKit-1.3.5-idle-timeout-default.patch new file mode 100644 index 0000000..ff827e4 --- /dev/null +++ b/PackageKit-1.3.5-idle-timeout-default.patch @@ -0,0 +1,24 @@ +From f42096ff2427a758eda9de2e3046714167a38c95 Mon Sep 17 00:00:00 2001 +From: Russell Haley +Date: Mon, 12 Sep 2022 12:36:10 -0500 +Subject: [PATCH] Revert "Revert "Shutdown the daemon on idle by default"" + +Adapted-by: PkgAgent/deepseek-v4 (modified to adapt to opencloudos-stream PackageKit 1.3.5) + +--- + src/pk-main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pk-main.c b/src/pk-main.c +index 7642692..b4b48e5 100644 +--- a/src/pk-main.c ++++ b/src/pk-main.c +@@ -198,6 +198,8 @@ main (int argc, char *argv[]) + exit_idle_time = 300; + g_clear_error (&error); + } ++ if (exit_idle_time == 0) ++ exit_idle_time = 300; + if (exit_idle_time > 0) + g_debug ("daemon shutdown set to %i seconds", exit_idle_time); + else diff --git a/package-remove-password-prompt.patch b/PackageKit-1.3.5-remove-password-prompt.patch similarity index 50% rename from package-remove-password-prompt.patch rename to PackageKit-1.3.5-remove-password-prompt.patch index 3cda368..871f53e 100644 --- a/package-remove-password-prompt.patch +++ b/PackageKit-1.3.5-remove-password-prompt.patch @@ -7,26 +7,24 @@ A local, active admin user can install packages without a password prompt, but has to enter the admin password to remove packages. This doesn't make much sense. It should be parallel. -Note that this change has no effect on what users are able to do, -because it only applies to admin users. The password only protects -against unlocked workstation attackers, where an attacker gains physical -access to an unlocked desktop. It's pretty weird to prevent such an -attacker from removing software, but allow installing new stuff. +Adapted-by: PkgAgent/deepseek-v4 (modified to adapt to opencloudos-stream PackageKit 1.3.5) -https://pagure.io/fedora-workstation/issue/233 --- - policy/org.freedesktop.packagekit.rules | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + policy/org.freedesktop.packagekit.rules | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/org.freedesktop.packagekit.rules b/policy/org.freedesktop.packagekit.rules -index 6a1c8a701..95d21925f 100644 +index fd8374f..6caa639 100644 --- a/policy/org.freedesktop.packagekit.rules +++ b/policy/org.freedesktop.packagekit.rules -@@ -1,5 +1,6 @@ +@@ -4,7 +4,9 @@ polkit.addRule(function(action, subject) { -- if (action.id == "org.freedesktop.packagekit.package-install" && -+ if ((action.id == "org.freedesktop.packagekit.package-install" || + if ((action.id == "org.freedesktop.packagekit.system-update" || + action.id == "org.freedesktop.packagekit.trigger-offline-update" || +- action.id == "org.freedesktop.packagekit.trigger-offline-upgrade") && ++ action.id == "org.freedesktop.packagekit.trigger-offline-upgrade" || ++ action.id == "org.freedesktop.packagekit.package-install" || + action.id == "org.freedesktop.packagekit.package-remove") && - subject.active == true && subject.local == true && - subject.isInGroup("wheel")) { + subject.active == true && subject.local == true && + (subject.isInGroup("wheel") || subject.isInGroup("sudo"))) { return polkit.Result.YES; diff --git a/PackageKit.spec b/PackageKit.spec index eb8f2cc..c540ea6 100644 --- a/PackageKit.spec +++ b/PackageKit.spec @@ -3,19 +3,19 @@ Summary: Package management service Name: PackageKit -Version: 1.2.6 -Release: 3%{?dist} +Version: 1.3.5 +Release: 1%{?dist} License: GPL-2.0-or-later AND LGPL-2.1-or-later URL: http://www.freedesktop.org/software/PackageKit/ -Source0: http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz -Patch3000: package-remove-password-prompt.patch -Patch3001: shutdown-on-idle.patch -Patch3002: 0001-packagekitd-Use-export_dynamic-explicitly.patch +Source0: https://github.com/PackageKit/PackageKit/archive/refs/tags/v%{version}.tar.gz +Patch3000: PackageKit-1.3.5-remove-password-prompt.patch +Patch3001: PackageKit-1.3.5-idle-timeout-default.patch +Patch3002: PackageKit-1.3.5-dnf-backend-optional-deps.patch -BuildRequires: glib2-devel >= %{glib2_version}, xmlto, gtk-doc, sqlite-devel, polkit-devel >= 0.92 +BuildRequires: glib2-devel >= %{glib2_version}, xmlto, gtk-doc, sqlite-devel, polkit-devel >= 0.92, jansson-devel >= 2.8 BuildRequires: gtk3-devel, docbook-utils, meson, gettext, vala, gstreamer1-devel BuildRequires: gstreamer1-plugins-base-devel, pango-devel, fontconfig-devel, libappstream-glib-devel -BuildRequires: libdnf-devel >= %{libdnf_version}, systemd, systemd-devel, gobject-introspection-devel +BuildRequires: libdnf-devel >= %{libdnf_version}, appstream-devel, systemd, systemd-devel, gobject-introspection-devel BuildRequires: bash-completion, python3-devel Requires: %{name}-glib = %{version}-%{release} @@ -88,7 +88,8 @@ using PackageKit. %build %meson \ - -Dgtk_doc=true \ + -Dgtk_doc=false \ + -Dman_pages=false \ -Dpython_backend=false \ -Dpackaging_backend=dnf \ -Dlocal_checkout=false @@ -115,7 +116,7 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || : %files -f %{name}.lang %license COPYING -%doc README AUTHORS NEWS +%doc README.md AUTHORS NEWS %dir %{_datadir}/PackageKit %dir %{_sysconfdir}/PackageKit %dir %{_localstatedir}/lib/PackageKit @@ -126,9 +127,8 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || : %dir %{_libdir}/packagekit-backend %config(noreplace) %{_sysconfdir}/PackageKit/PackageKit.conf %config(noreplace) %{_sysconfdir}/PackageKit/Vendor.conf -%config %{_sysconfdir}/dbus-1/system.d/* -%{_bindir}/pkmon -%{_bindir}/pkcon +%{_datadir}/dbus-1/system.d/org.freedesktop.PackageKit.conf +%{_bindir}/pkgcli %exclude %{_libdir}/libpackagekit*.so.* %{_libdir}/packagekit-backend/libpk_backend_dummy.so %{_libdir}/packagekit-backend/libpk_backend_dnf.so @@ -136,16 +136,16 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || : %{_libexecdir}/packagekitd %{_libexecdir}/packagekit-direct %{_libexecdir}/pk-*offline-update +%{_libexecdir}/packagekit-dnf-refresh-repo %ghost %verify(not md5 size mtime) %attr(0644,-,-) %{_localstatedir}/lib/PackageKit/transactions.db -%{_datadir}/bash-completion/completions/pkcon -%{_datadir}/man/man1/pkcon.1* -%{_datadir}/man/man1/pkmon.1* +%{_datadir}/bash-completion/completions/pkgcli %{_datadir}/polkit-1/actions/*.policy %{_datadir}/polkit-1/rules.d/* %{_datadir}/PackageKit/pk-upgrade-distro.sh %{_datadir}/PackageKit/helpers/test_spawn/search-name.sh %{_datadir}/dbus-1/system-services/*.service %{_datadir}/dbus-1/interfaces/*.xml +%{_datadir}/metainfo/org.freedesktop.packagekit.metainfo.xml %{_unitdir}/packagekit-offline-update.service %{_unitdir}/packagekit.service %{_unitdir}/system-update.target.wants/ @@ -179,11 +179,14 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || : %{_libdir}/libpackagekit-glib2.so %{_libdir}/pkgconfig/packagekit-glib2.pc %{_datadir}/gir-1.0/PackageKitGlib-1.0.gir -%{_datadir}/gtk-doc/html/PackageKit %{_datadir}/vala/vapi/packagekit-glib2.vapi %{_datadir}/vala/vapi/packagekit-glib2.deps %changelog +* Mon Jun 22 2026 PkgAgent Robot - 1.3.5-1 +- [Type] security +- [DESC] Update to 1.3.5 (fixes CVE-2026-41651) + * Wed Jun 11 2025 bbrucezhang - 1.2.6-3 - Rebuilt for loongarch64 diff --git a/shutdown-on-idle.patch b/shutdown-on-idle.patch deleted file mode 100644 index ec18922..0000000 --- a/shutdown-on-idle.patch +++ /dev/null @@ -1,156 +0,0 @@ -From f42096ff2427a758eda9de2e3046714167a38c95 Mon Sep 17 00:00:00 2001 -From: Russell Haley -Date: Mon, 12 Sep 2022 12:36:10 -0500 -Subject: [PATCH] Revert "Revert "Shutdown the daemon on idle by default"" - -This reverts commit dca1f5b2508a4632d0b9fefab771a5a9caf83a5c. - -Which reverted commit 0c84d71509e851db20445c747529bd7d3724f081, -which reverted commit c6eb3555ec5b41e988c111d276764d55fb83bda3. - -Fixes #460. - -The memory usage of packagekitd has been observed growing well beyond -half a GiB. See: - -https://bugzilla.redhat.com/show_bug.cgi?id=1354074 -https://bugzilla.redhat.com/show_bug.cgi?id=1854875 -https://bugzilla.redhat.com/show_bug.cgi?id=1896964 - -As I understand it, this timeout causes some slightly surprising -behavior when users mix command line dnf upgades with GUI PackageKit -upgrades, and do not manually run an update check before rebooting for -update. But that is an edge case, and the price of not having it is too -high. ---- - src/pk-main.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/pk-main.c b/src/pk-main.c -index d372a7456..1de9a1390 100644 ---- a/src/pk-main.c -+++ b/src/pk-main.c -@@ -183,6 +183,11 @@ main (int argc, char *argv[]) - - /* after how long do we timeout? */ - exit_idle_time = g_key_file_get_integer (conf, "Daemon", "ShutdownTimeout", NULL); -+ /* THIS COMMENT IS A TSUNAMI STONE -+ * Before removing the default timeout, please study the git history and -+ * be sure that you are not regressing Redhat bugzilla #1354074 (again). */ -+ if (exit_idle_time == 0) -+ exit_idle_time = 300; - g_debug ("daemon shutdown set to %i seconds", exit_idle_time); - - /* override the backend name */ - -From ba378b8510133bbad081aebd15cfe2ae74fe1e8a Mon Sep 17 00:00:00 2001 -From: Gordon Messmer -Date: Sun, 15 Jan 2023 15:17:45 -0800 -Subject: [PATCH] valgrind warns that a conditional depends on an uninitialized - value. - ---- - src/pk-main.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/pk-main.c b/src/pk-main.c -index d372a7456..43727d206 100644 ---- a/src/pk-main.c -+++ b/src/pk-main.c -@@ -241,6 +241,8 @@ main (int argc, char *argv[]) - helper.loop = loop; - helper.timer_id = g_timeout_add_seconds (5, (GSourceFunc) pk_main_timeout_check_cb, &helper); - g_source_set_name_by_id (helper.timer_id, "[PkMain] main poll"); -+ } else { -+ helper.timer_id = 0; - } - - /* immediatly exit */ - -From 8c22a0e2f3caf7df8728eec0dbf04d9c3c69f32e Mon Sep 17 00:00:00 2001 -From: Gordon Messmer -Date: Tue, 17 Jan 2023 08:45:16 -0800 -Subject: [PATCH] Notify PackageKit when dnf installs or removes packages. - ---- - backends/dnf/meson.build | 13 +++++++++ - backends/dnf/notify_packagekit.py | 45 +++++++++++++++++++++++++++++++ - contrib/PackageKit.spec.in | 2 ++ - 3 files changed, 60 insertions(+) - create mode 100644 backends/dnf/notify_packagekit.py - -diff --git a/backends/dnf/meson.build b/backends/dnf/meson.build -index ac75a1b6c..09718baf1 100644 ---- a/backends/dnf/meson.build -+++ b/backends/dnf/meson.build -@@ -7,6 +7,19 @@ if meson.get_compiler('c').has_function('hy_query_get_advisory_pkgs', prefix: '# - c_args += ['-DHAVE_HY_QUERY_GET_ADVISORY_PKGS'] - endif - -+python = import('python') -+python_exec = python.find_installation() -+python_package_dir = get_option('pythonpackagedir') -+if python_package_dir == '' -+ python_package_dir = python_exec.get_install_dir() -+endif -+python_package_dir = join_paths(python_package_dir, 'dnf-plugins') -+ -+install_data( -+ 'notify_packagekit.py', -+ install_dir: join_paths(python_package_dir), -+) -+ - shared_module( - 'pk_backend_dnf', - 'dnf-backend-vendor-@0@.c'.format(get_option('dnf_vendor')), -diff --git a/backends/dnf/notify_packagekit.py b/backends/dnf/notify_packagekit.py -new file mode 100644 -index 000000000..3be1fadd8 ---- /dev/null -+++ b/backends/dnf/notify_packagekit.py -@@ -0,0 +1,45 @@ -+# -*- coding: utf-8 -*- -+# -+# Copyright (C) 2022 Gordon Messmer -+# -+# Licensed under the GNU Lesser General Public License Version 2.1 -+# -+# This library is free software; you can redistribute it and/or -+# modify it under the terms of the GNU Lesser General Public -+# License as published by the Free Software Foundation; either -+# version 2.1 of the License, or (at your option) any later version. -+# -+# This library is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# Lesser General Public License for more details. -+# -+# You should have received a copy of the GNU Lesser General Public -+# License along with this library; if not, write to the Free Software -+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -+ -+""" -+Notify packagekitd when packages are installed, updated, or removed. -+""" -+ -+import dbus -+import dnf -+from dnfpluginscore import _ -+ -+ -+class NotifyPackagekit(dnf.Plugin): -+ name = "notify-packagekit" -+ -+ def __init__(self, base, cli): -+ super(NotifyPackagekit, self).__init__(base, cli) -+ self.base = base -+ self.cli = cli -+ -+ def transaction(self): -+ try: -+ bus = dbus.SystemBus() -+ proxy = bus.get_object('org.freedesktop.PackageKit', '/org/freedesktop/PackageKit') -+ iface = dbus.Interface(proxy, dbus_interface='org.freedesktop.PackageKit') -+ iface.StateHasChanged('posttrans') -+ except: -+ pass diff --git a/sources b/sources index 7438167..8b841a8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (PackageKit-1.2.6.tar.xz) = 0861c539e4427f0b5104dc54a9c9cd6c9311d245732290864dd602a0c5959fce028553c8f8ed38f5fd826e32b31c765710c76e282450b6590af0c49116f29bae +SHA512 (v1.3.5.tar.gz) = 28cde8449a0642537fe301e66a41122846d039f13230f0034e7d265656b982a5da66d12809a4835d344952283f1176431c2759d7ffbf7e724fe30f9b0c821ec0 -- Gitee