Msatdt

**Name of the Vulnerable Software and Affected Versions** PackageKit versions 1.0.2 through 1.3.4 **Description** PackageKit, a D-Bus abstraction layer for secure package management across distributions, contains a time-of-check time-of-use (TOCTOU) race condition involving transaction flags. This flaw allows a local unprivileged user to bypass authorization controls and install arbitrary RPM packages, including the execution of RPM scriptlets, as root, leading to local privilege escalation. The issue, dubbed Pack2TheRoot, stems from three bugs in `src/pk-transaction.c`: 1. The `InstallFiles()` function unconditionally overwrites `transaction->cached transaction flags` with caller-supplied flags without verifying if the transaction is already authorized or running. 2. The `pk transaction set state()` function silently rejects backward state transitions (such as `RUNNING` to `WAITING FOR AUTH`), allowing the transaction to proceed with corrupted flags. 3. The scheduler's idle callback reads `transaction->cached transaction flags` at the time of dispatch rather than at the time of authorization. Exploitation can be triggered via the `pkcon install` command, which may execute without proper authentication under certain conditions, potentially causing an assertion failure and crash in the PackageKit daemon that bypasses security checks. **Recommendations** Update PackageKit to version 1.3.5. As a temporary workaround, restrict access to the `pkcon install` command for unprivileged users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.43 **Description** Kanboard is project management software that focuses on the Kanban methodology. In affected versions, sessions are still usable even though their lifetime has exceeded. Kanboard implements a custom session handler (`app/Core/Session/SessionHandler.php`), to store the session data in a database. When a `session id` is given, Kanboard queries the data from the `sessions` SQL table. However, it does not correctly verify if a given `session id` has already exceeded its lifetime (`expires at`). Thus, a session whose lifetime is already `> time()`, is still queried from the database and hence a valid login. The implemented `SessionHandlerInterface::gc` function, which removes invalid sessions, is called only with a certain probability, based on `session.gc divisor`, `session.gc probability`, and `session.gc maxlifetime` settings. In the official Kanboard Docker image, these values default to: `session.gc probability=1`, `session.gc divisor=1000`. Thus, an expired session is only terminated with a probability of 1/1000. **Recommendations** To resolve the issue, update to version 1.2.43 or later. As a temporary workaround, consider adjusting the `session.gc probability` and `session.gc divisor` settings to increase the likelihood of expired sessions being terminated. Restrict access to the `app/Core/Session/SessionHandler.php` module to minimize the risk of exploitation. Avoid using the `session id` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.42 Description: The issue is related to incorrect restriction of a directory path with limited access in Kanboard project management software. This can allow a remote attacker to read and delete arbitrary files from the server. An authenticated Kanboard admin can exploit this by uploading a modified SQLite database through a dedicated feature, setting arbitrary file links by abusing path traversals, and triggering a file download. This allows the attacker to download all files readable in the context of the Kanboard application permissions. Recommendations: For versions prior to 1.2.42, update to version 1.2.42 to fix the issue. As a temporary workaround, consider restricting access to the `project has files` SQLite database and the file upload feature to minimize the risk of exploitation. Avoid using the `path` entry in the `project has files` SQLite database until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.42 Description: The issue concerns the Kanboard project management software, which focuses on the Kanban methodology. An authenticated Kanboard admin can execute arbitrary PHP code on the server due to a path traversal vulnerability. This can be achieved by uploading a modified sqlite.db file, which allows an attacker to control the filepath loaded by the application. The attacker must be able to place a file called `translations.php` on the system, potentially through an anonymous FTP server or another application that allows file uploads. Once the file is in place, the attacker can craft a sqlite db settings file that uses path traversal to point to the directory where the `translations.php` file is stored, ultimately gaining code execution after importing the crafted sqlite.db. Recommendations: For versions prior to 1.2.42, upgrade to version 1.2.42 to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the `translations.php` file and disabling any features that allow uploading files to the system until the upgrade is applied. Avoid using the `application language` setting in the `settings` table to load user interface languages from untrusted sources.