!13 [sync] PR-8: fix CVE-2020-16121

From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek

0001-Do-not-trigger-an-inotity-event-when-the-AppStream-X.patch

@@ -0,0 +1,33 @@
+From f3398f8e48203246d6346b5c7c4ec5ea065181e6 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Fri, 19 Jul 2019 15:01:49 +0100
+Subject: [PATCH] Do not trigger an inotity event when the AppStream XML data
+ is unchanged
+
+We already call dnf_utils_refresh_repo_appstream() on startup, but only as
+required. Remove the unconditional copy to speed up gnome-software startup.
+---
+ backends/dnf/pk-backend-dnf.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/backends/dnf/pk-backend-dnf.c b/backends/dnf/pk-backend-dnf.c
+index 779896c2d..503a6eb0a 100644
+--- a/backends/dnf/pk-backend-dnf.c
++++ b/backends/dnf/pk-backend-dnf.c
+@@ -565,13 +565,6 @@ dnf_utils_add_remote (PkBackendJob *job,
+ 	if (!ret)
+ 		return FALSE;
+ 
+-	/* update the AppStream copies in /var */
+-	for (guint i = 0; i < repos->len; i++) {
+-		DnfRepo *repo = g_ptr_array_index (repos, i);
+-		if (!dnf_utils_refresh_repo_appstream (repo, error))
+-			return FALSE;
+-	}
+-
+ 	/* done */
+ 	if (!dnf_state_done (state, error))
+ 		return FALSE;
+-- 
+2.21.0
+

0001-PackageKit-modify-support-URL.patch

@@ -0,0 +1,58 @@
+From 53dcc7b20c66408c6d2e6fe8b9b56eb974e7f5df Mon Sep 17 00:00:00 2001
+From: Buildteam <buildteam@openeuler.org>
+Date: Sun, 29 Dec 2019 16:10:20 +0800
+Subject: [PATCH] PackageKit: modify support URL
+
+Signed-off-by: Buildteam <buildteam@openeuler.org>
+---
+ etc/Vendor.conf | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/etc/Vendor.conf b/etc/Vendor.conf
+index 8db873b..ec48908 100644
+--- a/etc/Vendor.conf
++++ b/etc/Vendor.conf
+@@ -12,7 +12,7 @@
+ # If the value is set to 'none' then no link is shown.
+ #
+ # default=http://www.packagekit.org/pk-package-not-found.html
+-DefaultUrl=http://www.packagekit.org/pk-package-not-found.html
++DefaultUrl=https://gitee.com/openeuler/community/issues
+ 
+ # The URL which is shown to the user when a codec could not be found.
+ # It should explain why certain codecs cannot be used, and perhaps show
+@@ -21,7 +21,7 @@ DefaultUrl=http://www.packagekit.org/pk-package-not-found.html
+ # If the value is set to 'none' then the value of DefaultUrl is used.
+ #
+ # default=none
+-CodecUrl=none
++CodecUrl=https://gitee.com/openeuler/community/issues
+ 
+ # The URL which is shown to the user when hardware drivers could not be found.
+ # It should explain why some hardware is not supported, and links to futher
+@@ -30,7 +30,7 @@ CodecUrl=none
+ # If the value is set to 'none' then the value of DefaultUrl is used.
+ #
+ # default=none
+-HardwareUrl=none
++HardwareUrl=https://gitee.com/openeuler/community/issues
+ 
+ # The URL which is shown to the user when fonts could not be found.
+ # Alternatives should probably be suggested where possible.
+@@ -38,7 +38,7 @@ HardwareUrl=none
+ # If the value is set to 'none' then the value of DefaultUrl is used.
+ #
+ # default=none
+-FontUrl=none
++FontUrl=https://gitee.com/openeuler/community/issues
+ 
+ # The URL which is shown to the user when programs handing a mime tpye could not
+ # be found. It should probably explain how to use wine if the program is a
+@@ -47,4 +47,4 @@ FontUrl=none
+ # If the value is set to 'none' then the value of DefaultUrl is used.
+ #
+ # default=none
+-MimeUrl=none
++MimeUrl=https://gitee.com/openeuler/community/issues
+-- 
+1.8.3.1

0001-dnf-Don-t-override-DnfContext-s-release_ver-for-the-.patch

@@ -0,0 +1,45 @@
+From be075445cafd370abf1ad3e6e85f2baebef056cb Mon Sep 17 00:00:00 2001
+From: Kalev Lember <klember@redhat.com>
+Date: Wed, 30 Jan 2019 15:37:21 +0100
+Subject: [PATCH] dnf: Don't override DnfContext's release_ver for the running
+ system
+
+Only override release_ver for the system upgrade DnfContext and leave it
+at the default value for the default context. This makes
+dnf_context_setup() automatically figure out the release_ver based on
+the running system: it looks at various provides in rpmdb and finally
+falls back to VERSION_ID from /etc/os-release.
+
+The goal here is to make it possible to adjust the value that gets
+passed to librepo by changing system-release(releasever) provides in
+fedora-release (which DnfContext correctly handles if we leave the
+release_ver set to the default value).
+
+https://pagure.io/releng/issue/7445
+---
+ backends/dnf/pk-backend-dnf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/backends/dnf/pk-backend-dnf.c b/backends/dnf/pk-backend-dnf.c
+index 47e565915..779896c2d 100644
+--- a/backends/dnf/pk-backend-dnf.c
++++ b/backends/dnf/pk-backend-dnf.c
+@@ -156,7 +156,6 @@ pk_backend_setup_dnf_context (DnfContext *context, GKeyFile *conf, const gchar *
+ 	dnf_context_set_repo_dir (context, repo_dir);
+ 	lock_dir = g_build_filename (destdir, "/var/run", NULL);
+ 	dnf_context_set_lock_dir (context, lock_dir);
+-	dnf_context_set_release_ver (context, release_ver);
+ 	dnf_context_set_rpm_verbosity (context, "info");
+ 
+ 	/* use this initial data if repos are not present */
+@@ -3401,6 +3400,7 @@ pk_backend_upgrade_system_thread (PkBackendJob *job, GVariant *params, gpointer
+ 		g_autoptr(DnfContext) context = NULL;
+ 
+ 		context = dnf_context_new ();
++		dnf_context_set_release_ver (context, release_ver);
+ 		ret = pk_backend_setup_dnf_context (context, priv->conf, release_ver, &error);
+ 		if (!ret) {
+ 			g_debug ("failed to setup context: %s", error->message);
+-- 
+2.21.0
+

0001-dnf-Invalidate-the-sack-cache-after-downloading-new-.patch

@@ -0,0 +1,38 @@
+From cdbd27d699b51e37c533d07abd2f1ab26e11355c Mon Sep 17 00:00:00 2001
+From: Kalev Lember <klember@redhat.com>
+Date: Tue, 18 Dec 2018 01:02:27 +0100
+Subject: [PATCH] dnf: Invalidate the sack cache after downloading new metadata
+
+This fixes first resolve() after refresh() to correctly return the new
+data.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1642878
+---
+ backends/dnf/pk-backend-dnf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/backends/dnf/pk-backend-dnf.c b/backends/dnf/pk-backend-dnf.c
+index 5961f1258..47e565915 100644
+--- a/backends/dnf/pk-backend-dnf.c
++++ b/backends/dnf/pk-backend-dnf.c
+@@ -1568,6 +1568,7 @@ pk_backend_refresh_cache_thread (PkBackendJob *job,
+ 				 gpointer user_data)
+ {
+ 	PkBackendDnfJobData *job_data = pk_backend_job_get_user_data (job);
++	PkBackend *backend = pk_backend_job_get_backend (job);
+ 	DnfRepo *repo;
+ 	DnfState *state_local;
+ 	DnfState *state_loop;
+@@ -1699,6 +1700,9 @@ pk_backend_refresh_cache_thread (PkBackendJob *job,
+ 		return;
+ 	}
+ 
++	/* invalidate the sack cache after downloading new metadata */
++	pk_backend_sack_cache_invalidate (backend, "downloaded new metadata");
++
+ 	/* regenerate the libsolv metadata */
+ 	state_local = dnf_state_get_child (job_data->state);
+ 	sack = dnf_utils_create_sack_for_filters (job, 0,
+-- 
+2.19.1
+

0001-offline-update-Use-new-plymouth-system-upgrade-and-r.patch

@@ -0,0 +1,56 @@
+From 4b3f4913e50510eed5fbd3bc4cf94a49dec939ab Mon Sep 17 00:00:00 2001
+From: Kalev Lember <klember@redhat.com>
+Date: Wed, 27 Feb 2019 10:08:50 +0100
+Subject: [PATCH] offline update: Use new plymouth "system-upgrade" and
+ "reboot" modes
+
+These landed in plymouth git yesterday to implement
+https://wiki.gnome.org/Design/OS/BootProgress
+
+Using the new API conditionally is tricky as it's command line API;
+enterprise distros that don't have new enough plymouth should probably
+just revert this commit.
+---
+ client/pk-offline-update.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/client/pk-offline-update.c b/client/pk-offline-update.c
+index 90ecacd06..6f6591427 100644
+--- a/client/pk-offline-update.c
++++ b/client/pk-offline-update.c
+@@ -188,7 +188,7 @@ pk_offline_update_reboot (void)
+ 
+ 	/* reboot using systemd */
+ 	sd_journal_print (LOG_INFO, "rebooting");
+-	pk_offline_update_set_plymouth_mode ("shutdown");
++	pk_offline_update_set_plymouth_mode ("reboot");
+ 	/* TRANSLATORS: we've finished doing offline updates */
+ 	pk_offline_update_set_plymouth_msg (_("Rebooting after installing updates…"));
+ 	connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
+@@ -371,6 +371,7 @@ pk_offline_update_do_update (PkTask *task, PkProgressBar *progressbar, GError **
+ 		return FALSE;
+ 	}
+ 
++	pk_offline_update_set_plymouth_mode ("updates");
+ 	/* TRANSLATORS: we've started doing offline updates */
+ 	pk_offline_update_set_plymouth_msg (_("Installing updates; this could take a while..."));
+ 	pk_offline_update_write_dummy_results ();
+@@ -403,6 +404,7 @@ pk_offline_update_do_upgrade (PkTask *task, PkProgressBar *progressbar, GError *
+ 	        return FALSE;
+ 	}
+ 
++	pk_offline_update_set_plymouth_mode ("system-upgrade");
+ 	/* TRANSLATORS: we've started doing offline system upgrade */
+ 	pk_offline_update_set_plymouth_msg (_("Installing system upgrade; this could take a while..."));
+ 	pk_offline_update_write_dummy_results ();
+@@ -485,7 +487,6 @@ main (int argc, char *argv[])
+ 
+ 	task = pk_task_new ();
+ 	pk_client_set_interactive (PK_CLIENT (task), FALSE);
+-	pk_offline_update_set_plymouth_mode ("updates");
+ 
+ 	if (g_strcmp0 (link, PK_OFFLINE_PREPARED_UPGRADE_FILENAME) == 0 &&
+ 	    g_file_test (PK_OFFLINE_PREPARED_UPGRADE_FILENAME, G_FILE_TEST_EXISTS)) {
+-- 
+2.21.0
+

PackageKit-0.3.9-Command-not-found-AddFn.patch

@@ -0,0 +1,52 @@
+#Copyright (C) 2019. Huawei Technologies Co., Ltd. All rights reserved.
+#
+#This program is free software; you can redistribute it and/or modify
+#it under the terms of GPLv2+ and LGPLv2+ 
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See GPLv2+ and LGPLv2+ for more details.
+
+diff -uNrp a/contrib/command-not-found/pk-command-not-found.c b/contrib/command-not-found/pk-command-not-found.c
+--- a/contrib/command-not-found/pk-command-not-found.c	2018-09-25 16:37:29.000000000 +0800
++++ b/contrib/command-not-found/pk-command-not-found.c	2019-08-26 10:14:11.184000000 +0800
+@@ -143,6 +143,31 @@ pk_cnf_find_alternatives_replace (const
+ 
+ /**
+  *
++ * Add last char, so gre -> grep
++ **/
++static void
++pk_cnf_find_alternatives_add (const gchar *cmd, guint len, GPtrArray *array)
++{
++        guint i;
++        gchar *possible;
++        gchar *alt="abcdefghijklmnopqrstuvwxyz";
++        for(i = 0;i < 26; i++)
++        {
++                gchar *temp = malloc((len+2)*sizeof(gchar));
++				if(NULL != temp)
++				{
++					memset(temp,0,(len+2)*sizeof(gchar));
++					strncpy(temp,cmd,len);
++					temp[len]=alt[i];
++					temp[len+1]='\0';
++					possible = temp;
++					g_ptr_array_add (array, possible);
++				}
++        }
++}
++
++/**
++ *
+  * Truncate first and last char, so lshall -> lshal
+  **/
+ static void
+@@ -349,6 +374,7 @@ pk_cnf_find_alternatives (const gchar *c
+ 	unique = g_ptr_array_new ();
+ 	pk_cnf_find_alternatives_swizzle (cmd, len, possible);
+ 	pk_cnf_find_alternatives_replace (cmd, len, possible);
++	pk_cnf_find_alternatives_add (cmd, len, possible);
+ 	if (len > 3)
+ 		pk_cnf_find_alternatives_truncate (cmd, len, possible);
+ 	pk_cnf_find_alternatives_remove_double (cmd, len, possible);

PackageKit.spec

@@ -0,0 +1,229 @@
+Name:           PackageKit
+Version:        1.1.12
+Release:        10
+License:        GPLv2+ and LGPLv2+
+Summary:        Package management service
+URL:            https://www.freedesktop.org/software/PackageKit/
+Source0:        https://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
+
+# Fedora-specific: set Vendor.conf up for Fedora.
+Patch1:         PackageKit-0.3.9-Command-not-found-AddFn.patch
+
+# Backported from upstream
+Patch2:         0001-dnf-Invalidate-the-sack-cache-after-downloading-new-.patch
+
+# https://github.com/hughsie/PackageKit/pull/316
+Patch3:         0001-offline-update-Use-new-plymouth-system-upgrade-and-r.patch
+
+# https://pagure.io/releng/issue/7445
+Patch4:         0001-dnf-Don-t-override-DnfContext-s-release_ver-for-the-.patch
+
+# https://github.com/hughsie/PackageKit/pull/330
+Patch5:         0001-Do-not-trigger-an-inotity-event-when-the-AppStream-X.patch
+
+# modify support URL
+Patch6:         0001-PackageKit-modify-support-URL.patch
+
+Patch6000:      backport-CVE-2020-16121.patch
+
+BuildRequires:  glib2-devel xmlto gtk-doc sqlite-devel polkit-devel libtool gtk2-devel gtk3-devel docbook-utils
+BuildRequires:  gnome-doc-utils intltool gettext vala gstreamer1-devel gstreamer1-plugins-base-devel pango-devel
+BuildRequires:  fontconfig-devel libappstream-glib-devel libdnf-devel systemd-devel gobject-introspection-devel bash-completion
+
+Requires:       glib2 libdnf shared-mime-info systemd gobject-introspection crontabs pango
+
+Obsoletes:      PackageKit-udev-helper < %{version}-%{release}
+Obsoletes:      udev-packagekit < %{version}-%{release}
+Obsoletes:      PackageKit-gtk-module < %{version}-%{release}
+Obsoletes:      PackageKit-smart < %{version}-%{release}
+Obsoletes:      PackageKit-yum < 0.9.1
+Obsoletes:      PackageKit-yum-plugin < 0.9.1
+Obsoletes:      PackageKit-zif < 0.8.13-2
+Obsoletes:      PackageKit-cached-metadata < 1.0.10-2
+Obsoletes:      PackageKit-browser-plugin < 1.0.11-3
+Obsoletes:      PackageKit-debug-install < 0.9.1
+Obsoletes:      PackageKit-hawkey < 0.9.1
+Obsoletes:      PackageKit-backend-devel < 0.9.6
+Obsoletes:      PackageKit-device-rebind < 0.8.13-2
+Provides:       PackageKit-debug-install = %{version}-%{release}
+Provides:       PackageKit-device-rebind = %{version}-%{release}
+Provides:       PackageKit-hawkey = %{version}-%{release}
+Provides:       PackageKit-yum = %{version}-%{release}
+Provides:       PackageKit-yum-plugin = %{version}-%{release}
+Provides:       PackageKit-zif = %{version}-%{release}
+Obsoletes:      PackageKit-gstreamer-plugin
+Provides:       PackageKit-gstreamer-plugin
+Obsoletes:      PackageKit-glib
+Provides:       PackageKit-glib
+Obsoletes:      PackageKit-libs < %{version}-%{release}
+Provides:       PackageKit-libs = %{version}-%{release}
+Obsoletes:      PackageKit-cron
+Provides:       PackageKit-cron
+Obsoletes:      codeina < 0.10.1-10
+Provides:       codeina = 0.10.1-10
+
+%description
+PackageKit is a D-Bus abstraction layer that allows the session user
+to manage packages in a secure way using a cross-distro,
+cross-architecture API.
+
+%package        devel
+Summary:        Libraries and headers for PackageKit
+Requires:       %{name} = %{version}-%{release}
+Requires:       dbus-devel >= 1.1.1 sqlite-devel pango
+Obsoletes:      PackageKit-glib-devel < %{version}-%{release}
+Provides:       PackageKit-glib-devel = %{version}-%{release}
+Obsoletes:      PackageKit-docs < %{version}-%{release}
+Provides:       PackageKit-docs = %{version}-%{release}
+Obsoletes:      PackageKit-gtk3-module
+Provides:       PackageKit-gtk3-module
+
+%description    devel
+headers and libraries for PackageKit.
+
+%package_help
+
+%package        command-not-found
+Summary:        Ask the user to install command line programs automatically
+Requires:       bash
+
+%description    command-not-found
+
+A simple helper that offers to install new packages on the command line
+using PackageKit.
+
+%prep
+%autosetup -p1
+
+%build
+%configure  --enable-dnf --enable-bash-completion --disable-local  --disable-silent-rules
+
+%make_build V=1
+
+%install
+%make_install
+
+%delete_la_and_a
+
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/app-info/{icons,xmls}
+
+touch $RPM_BUILD_ROOT%{_localstatedir}/cache/PackageKit/groups.sqlite
+
+pushd ${RPM_BUILD_ROOT}%{_libexecdir} > /dev/null
+ln -s pk-gstreamer-install gst-install-plugins-helper
+popd > /dev/null
+
+%post
+systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
+
+%files
+%defattr(-,root,root)
+%license COPYING
+%doc AUTHORS
+%dir %{_localstatedir}/cache/app-info/icons
+%dir %{_localstatedir}/cache/app-info/xmls
+%ghost %verify(not md5 size mtime) %{_localstatedir}/cache/PackageKit/groups.sqlite
+%config(noreplace) %{_sysconfdir}/PackageKit/PackageKit.conf
+%config(noreplace) %{_sysconfdir}/PackageKit/Vendor.conf
+%config(noreplace) %{_sysconfdir}/sysconfig/packagekit-background
+%config %{_sysconfdir}/cron.daily/packagekit-background.cron
+%config %{_sysconfdir}/dbus-1/system.d/*
+%{_libexecdir}/packagekitd
+%{_libexecdir}/packagekit-direct
+%{_libexecdir}/pk-offline-update
+%{_libexecdir}/pk-gstreamer-install
+%{_libexecdir}/gst-install-plugins-helper
+%{_bindir}/pk*
+%{_libdir}/*packagekit-glib2.so.*
+%{_libdir}/packagekit-backend/libpk_backend_*.so
+%{_libdir}/packagekit-backend/libpk_backend_test_*.so
+%{_libdir}/girepository-1.0/PackageKitGlib-1.0.typelib
+%{_datadir}/locale/*
+%{_datadir}/PackageKit/helpers/test_spawn/*
+%{_datadir}/polkit-1/*/*
+%{_datadir}/PackageKit/pk-upgrade-distro.sh
+%{_datadir}/bash-completion/completions/pkcon
+%ghost %verify(not md5 size mtime) %{_localstatedir}/lib/PackageKit/transactions.db
+%{_datadir}/dbus-1/system-services/*.service
+%{_unitdir}/packagekit-offline-update.service
+%{_unitdir}/packagekit.service
+%{_unitdir}/system-update.target.wants/
+
+%files devel
+%defattr(-,root,root)
+%{_libdir}/*.so
+%{_libdir}/gtk-2.0/modules/*.so
+%{_libdir}/gtk-3.0/modules/*.so
+%{_libdir}/gnome-settings-daemon-3.0/gtk-modules/*.desktop
+%{_libdir}/pkgconfig/*.pc
+%{_includedir}/PackageKit/packagekit-glib*/*.h
+%{_datadir}/gir-1.0/PackageKitGlib-1.0.gir
+%{_datadir}/vala/vapi/packagekit-glib2.vapi
+
+%files help
+%defattr(-,root,root)
+%doc NEWS README
+%{_datadir}/man/man1/*.1.gz
+%{_datadir}/gtk-doc/html/PackageKit
+%{_datadir}/dbus-1/interfaces/*.xml
+
+%files command-not-found
+%defattr(-,root,root)
+%{_libexecdir}/pk-command-not-found
+%{_sysconfdir}/profile.d/*
+%config(noreplace) %{_sysconfdir}/PackageKit/CommandNotFound.conf
+
+%changelog
+* Tue Sep 28 2021 yangcheng <yangcheng87@huawei.com> - 1.1.12-10
+- Type:CVE
+- ID:cve-2020-16121
+- SUG:NA
+- DESC:fix CVE-2020-16121
+
+* Tue Mar 10 2020 chengguipeng <chengguipeng1@huawei.com> - 1.1.12-9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:solove the problem that no message is displayed when running a uninstalled command.
+
+* Tue Mar 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-8
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:remove unnecessary link file
+
+* Sun Dec 29 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:modify support URL
+
+* Wed Dec 25 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-6
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:optimization the spec
+
+* Tue Dec 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:move some .so to main package
+
+* Fri Dec 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-4
+- patch rename
+
+* Fri Nov 22 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-3
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:Unpack command-not-found for PackageKit
+
+* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-2
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:Add PackageKit.so file for PackageKit
+
+* Fri Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.12-1
+- Package init

PackageKit.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: hughsie/PackageKit
+tag_prefix: PACKAGEKIT_
+seperator: _

README.en.md

@@ -0,0 +1,36 @@
+# PackageKit
+
+#### Description
+{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
+
+#### Software Architecture
+Software architecture description
+
+#### Installation
+
+1.  xxxx
+2.  xxxx
+3.  xxxx
+
+#### Instructions
+
+1.  xxxx
+2.  xxxx
+3.  xxxx
+
+#### Contribution
+
+1.  Fork the repository
+2.  Create Feat_xxx branch
+3.  Commit your code
+4.  Create Pull Request
+
+
+#### Gitee Feature
+
+1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
+2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
+3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
+4.  The most valuable open source project [GVP](https://gitee.com/gvp)
+5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
+6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

backport-CVE-2020-16121.patch

@@ -0,0 +1,140 @@
+From e916b584d8d0f3feb835fe3793f01271a301240d Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Tue, 22 Sep 2020 14:12:12 +0200
+Subject: [PATCH 2/2] Information disclosure in InstallFiles, GetFilesLocal and
+ GetDetailsLocal
+
+These functions revealed existence and content type of files, which
+allows a non-root user to check existence and content type of any
+file on the system, regardless of permission, as the checks are
+performed as root.
+
+A correct fix would move those checks into the client, and pass an
+fd to the daemon. Here we just hide which failure it is, which we
+would need to do anyway, but don't provide an improved version as
+that's out of scope for a security issue and requires changes the
+reverse dependencies using those functions.
+
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1888887
+---
+ src/pk-transaction.c | 48 ++++++++++++++++----------------------------
+ 1 file changed, 17 insertions(+), 31 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index 76e9965..0880fbf 100644
+--- a/src/pk-transaction.c
++++ b/src/pk-transaction.c
+@@ -3038,7 +3038,7 @@ pk_transaction_get_details_local (PkTransaction *transaction,
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+ 				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
+-				     "No such file %s", full_paths[i]);
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 			goto out;
+ 		}
+@@ -3049,9 +3049,8 @@ pk_transaction_get_details_local (PkTransaction *transaction,
+ 		if (content_type == NULL) {
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+-				     PK_TRANSACTION_ERROR_MIME_TYPE_NOT_SUPPORTED,
+-				     "Failed to get content type for file %s",
+-				     full_paths[i]);
++				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 			goto out;
+ 		}
+@@ -3061,9 +3060,8 @@ pk_transaction_get_details_local (PkTransaction *transaction,
+ 		if (!ret) {
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+-				     PK_TRANSACTION_ERROR_MIME_TYPE_NOT_SUPPORTED,
+-				     "MIME type '%s' not supported %s",
+-				     content_type, full_paths[i]);
++				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 			goto out;
+ 		}
+@@ -3139,7 +3137,7 @@ pk_transaction_get_files_local (PkTransaction *transaction,
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+ 				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
+-				     "No such file %s", full_paths[i]);
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 			goto out;
+ 		}
+@@ -3150,9 +3148,8 @@ pk_transaction_get_files_local (PkTransaction *transaction,
+ 		if (content_type == NULL) {
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+-				     PK_TRANSACTION_ERROR_MIME_TYPE_NOT_SUPPORTED,
+-				     "Failed to get content type for file %s",
+-				     full_paths[i]);
++				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 			goto out;
+ 		}
+@@ -3162,9 +3159,8 @@ pk_transaction_get_files_local (PkTransaction *transaction,
+ 		if (!ret) {
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+-				     PK_TRANSACTION_ERROR_MIME_TYPE_NOT_SUPPORTED,
+-				     "MIME type '%s' not supported %s",
+-				     content_type, full_paths[i]);
++				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 			goto out;
+ 		}
+@@ -3667,7 +3663,7 @@ pk_transaction_install_files (PkTransaction *transaction,
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+ 				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
+-				     "No such file %s", full_paths[i]);
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 				goto out;
+ 		}
+@@ -3677,9 +3673,8 @@ pk_transaction_install_files (PkTransaction *transaction,
+ 		if (content_type == NULL) {
+ 			g_set_error (&error,
+ 				     PK_TRANSACTION_ERROR,
+-				     PK_TRANSACTION_ERROR_NOT_SUPPORTED,
+-				     "Failed to get content type for file %s",
+-				     full_paths[i]);
++				     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
++				     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 				goto out;
+ 		}
+@@ -3687,19 +3682,10 @@ pk_transaction_install_files (PkTransaction *transaction,
+ 		/* supported content type? */
+ 		ret = pk_transaction_is_supported_content_type (transaction, content_type);
+ 		if (!ret) {
+-			if (g_strcmp0 ("application/x-app-package", content_type) == 0 ||
+-			    g_str_has_suffix (full_paths[i], ".ipk") == TRUE) {
+-				g_set_error (&error,
+-					      PK_TRANSACTION_ERROR,
+-					      PK_TRANSACTION_ERROR_MIME_TYPE_NOT_SUPPORTED,
+-					      "Listaller is required to install %s", full_paths[i]);
+-			} else {
+-				g_set_error (&error,
+-					     PK_TRANSACTION_ERROR,
+-					     PK_TRANSACTION_ERROR_MIME_TYPE_NOT_SUPPORTED,
+-					     "MIME type '%s' not supported %s",
+-					     content_type, full_paths[i]);
+-			}
++			g_set_error (&error,
++                                     PK_TRANSACTION_ERROR,
++                                     PK_TRANSACTION_ERROR_NO_SUCH_FILE,
++                                     "No such file %s, or unknown or unsupported content type", full_paths[i]);
+ 			pk_transaction_set_state (transaction, PK_TRANSACTION_STATE_ERROR);
+ 				goto out;
+ 		}
+-- 
+2.27.0
+