Version in base suite: 1.2.6-5

Base version: packagekit_1.2.6-5
Target version: packagekit_1.2.6-5+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/packagekit/packagekit_1.2.6-5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/packagekit/packagekit_1.2.6-5+deb12u1.dsc

 changelog                                                        |    7 +
 patches/PK_Do-not-allow-re-invoking-methods-on-non-new-txn.patch |   61 ++++++++++
 patches/series                                                   |    1 
 3 files changed, 69 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpoz9tva9s/packagekit_1.2.6-5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpoz9tva9s/packagekit_1.2.6-5+deb12u1.dsc: no acceptable signature found
diff -Nru packagekit-1.2.6/debian/changelog packagekit-1.2.6/debian/changelog
--- packagekit-1.2.6/debian/changelog	2023-05-28 17:00:10.000000000 +0000
+++ packagekit-1.2.6/debian/changelog	2026-04-21 14:49:31.000000000 +0000
@@ -1,3 +1,10 @@
+packagekit (1.2.6-5+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Do not allow re-invoking methods on non-new transactions
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 21 Apr 2026 16:49:31 +0200
+
 packagekit (1.2.6-5) unstable; urgency=medium
 
   * Add fix-tiny-memleak.patch:
diff -Nru packagekit-1.2.6/debian/patches/PK_Do-not-allow-re-invoking-methods-on-non-new-txn.patch packagekit-1.2.6/debian/patches/PK_Do-not-allow-re-invoking-methods-on-non-new-txn.patch
--- packagekit-1.2.6/debian/patches/PK_Do-not-allow-re-invoking-methods-on-non-new-txn.patch	1970-01-01 00:00:00.000000000 +0000
+++ packagekit-1.2.6/debian/patches/PK_Do-not-allow-re-invoking-methods-on-non-new-txn.patch	2026-04-21 14:49:31.000000000 +0000
@@ -0,0 +1,61 @@
+From 22656f21232702439bc6b7d10bb7ac65253b5e8d Mon Sep 17 00:00:00 2001
+From: Matthias Klumpp <matthias@tenstral.net>
+Date: Tue, 14 Apr 2026 16:12:18 +0200
+Subject: [PATCH] Do not allow re-invoking methods on non-new transactions
+
+This ensures that cached parameters (such a transaction flags) can not
+be changed on an already running transaction or a transaction that is
+waiting for authorization.
+
+It also prevents backwards state transitions in case a client
+misbehaves.
+[Salvatore Bonaccorso: Backport changes to version before fce95c935347
+("trivial: typos") in v1.3.3]
+---
+ src/pk-transaction.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/pk-transaction.c b/src/pk-transaction.c
+index db64aab8f..82501b56f 100644
+--- a/src/pk-transaction.c
++++ b/src/pk-transaction.c
+@@ -5250,14 +5250,32 @@ pk_transaction_method_call (GDBusConnection *connection_, const gchar *sender,
+ 		pk_transaction_set_hints (transaction, parameters, invocation);
+ 		return;
+ 	}
+-	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
+-		pk_transaction_accept_eula (transaction, parameters, invocation);
+-		return;
+-	}
+ 	if (g_strcmp0 (method_name, "Cancel") == 0) {
+ 		pk_transaction_cancel (transaction, parameters, invocation);
+ 		return;
+ 	}
++
++	/* All action methods below must only be invoked once on a new transaction.
++	 * Reject any attempt to re-invoke them after the transaction has been initialized,
++	 * preventing situations where a second D-Bus call could overwrite transaction flags
++	 * (or other cached state) after authorization has already been granted for the previous
++	 * request based on the old parameters. */
++	if (transaction->priv->state != PK_TRANSACTION_STATE_NEW) {
++		g_dbus_method_invocation_return_error (invocation,
++						       PK_TRANSACTION_ERROR,
++						       PK_TRANSACTION_ERROR_INVALID_STATE,
++						       "cannot call %s on transaction %s: "
++						       "already in state %s",
++						       method_name,
++						       transaction->priv->tid,
++						       pk_transaction_state_to_string (transaction->priv->state));
++		return;
++	}
++
++	if (g_strcmp0 (method_name, "AcceptEula") == 0) {
++		pk_transaction_accept_eula (transaction, parameters, invocation);
++		return;
++	}
+ 	if (g_strcmp0 (method_name, "DownloadPackages") == 0) {
+ 		pk_transaction_download_packages (transaction, parameters, invocation);
+ 		return;
+--
+2.53.0
+
diff -Nru packagekit-1.2.6/debian/patches/series packagekit-1.2.6/debian/patches/series
--- packagekit-1.2.6/debian/patches/series	2023-05-28 16:54:39.000000000 +0000
+++ packagekit-1.2.6/debian/patches/series	2026-04-21 14:48:22.000000000 +0000
@@ -7,3 +7,4 @@
 06_apt-fix-mimetype-search-crash.patch
 07_fix-tiny-memleak.patch
 08_remove-references-to-packagekit.org.patch
+PK_Do-not-allow-re-invoking-methods-on-non-new-txn.patch