PublicDateAtUSN: 2020-06-13 01:14:00 UTC
Candidate: CVE-2020-16122
PublicDate: 2020-11-07 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16122
 https://ubuntu.com/security/notices/USN-4538-1
Description:
 PackageKit's apt backend mistakenly treated all local debs as trusted. The
 apt security model is based on repository trust and not on the contents of
 individual files. On sites with configured PolicyKit rules this may allow
 users to install malicious packages.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098
Priority: medium
Discovered-by: Sami Niemimäki
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_packagekit:
upstream_packagekit: needs-triage
precise/esm_packagekit: DNE
trusty_packagekit: ignored (out of standard support)
trusty/esm_packagekit: DNE
xenial_packagekit: released (0.8.17-4ubuntu6~gcc5.4ubuntu1.5)
esm-infra/xenial_packagekit: released (0.8.17-4ubuntu6~gcc5.4ubuntu1.5)
bionic_packagekit: released (1.1.9-1ubuntu2.18.04.6)
focal_packagekit: released (1.1.13-2ubuntu1.1)
devel_packagekit: released (1.1.13-2ubuntu2)