Fluid Attacks Database

Description

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	packagekit	>=0 <1.2.1-1	1.2.1-1
debian 12	packagekit	>=0 <1.2.1-1	1.2.1-1
debian 13	packagekit	>=0 <1.2.1-1	1.2.1-1
debian 14	packagekit	>=0 <1.2.1-1	1.2.1-1

Aliases

1. CVE-2020-161222. NVD-2020-161223. OSV-DEBIAN-2020-161224. OSV-2020-161225. SECURITY-TRACKER-CVE-2020-16122

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.