pkgman install *un*installs the package (if passed a local hpkg, no problem with remote hpkr's)
|Reported by:||ttcoder||Owned by:||bonefish|
dsuden keeps running into this vulnerability ever since I told him about "pkgman install", it's driving me nuts :-)
"Installing" a package which happens to be already installed, actually results in its de-installation (possibly because one of the performed steps, involves moving the "old" hpkg into a 'archive' subfolder of admnistrative, but both the "old" and "new" files are the same ?)
Furthermore, if said package is a dependancy of others, this obviously results in a cascade of consequences, ouch!
Reproducible "show and tell" session coming up below
Some naive enhancement ideas: if one of the package files passed to BPackageManager::Install() matches an already installed package for the specified repository...
- reject the transaction as a whole ?
- reject only that part of the transation ?
- start applying the whole transaction, but abort/fail it at the stage of creating the .hpkg file within /system/packages, before the actual backup-to-archive stage (maybe might be as simple as tweaking an
open()call, passing it the O_NOCLOBBER.. flag and throwing an exception if open() returns file-already-exists ?)
- something else ?
Any of the above would result in cutting short the vulnerability exploit before the package gets uninstalled (and its dependancies if any) which would be great by me :-)