Skip to main content
Topic: Security Issue Masquaraded as Conflicting Packages (Could Not Satisfy Dep.) (Read 605 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Security Issue Masquaraded as Conflicting Packages (Could Not Satisfy Dep.)

Hi,
I hope its the right thread. Just run some updates and encountered the following:

"resolving dependencies...
looking for conflicting packages...
error: failed to prepare transaction (could not satisfy dependencies)
:: installing boost-libs (1.78.0-1) breaks dependency 'libboost_thread.so=1.76.0-64' required by libphonenumber"

After investigation the culprit is KDEItinerary enforced upon users as a new thing after KDE upgrades (its useless anyway because you can't use it to plan your itinerary, you have to buy ticket first and import data, so its not of any help for you to plan your journey from point A to point B, so since you bought ticket, you know you have layover/change and you know that you will be using train and then bus, because you bought the ticket. KDE itinerary doesn't help you to find routes and trains, buses etc. Its useless).

Security: pacman WILL NOT TELL YOU, but KDE Itinerary and this broken boost-lib/libboost_hread.so  (KDE Itinerary and googles libphonenumber- the hell with Google) will stop pacman from..... updateing OPENSSL.

Solution
$ pacman -Rdd kdeitinerary --noconfirm && pacman -Rdd libphonenumber --noconfirm

Now if you update the system the following packages (not previously shown in any way by pacman, so you wouldn't notice!) will be updated:

 upgraded openssl (1.1.1.l-1 -> 1.1.1.m-1)
 upgraded boost-libs (1.76.0-6 -> 1.78.0-1)
 upgraded imath (3.1.3-3 -> 3.1.3-4)
 upgraded libcmis (0.5.2-8 -> 0.5.2-9)
 upgraded libixion (0.16.1-8 -> 0.16.1-9)
 upgraded liborcus (0.16.1-9 -> 0.16.1-10)
 installed iniparser (4.1-3)
 upgraded ndctl (71.1-1.1 -> 72-1)
 upgraded nspr (4.32-1 -> 4.33-1)
 upgraded source-highlight (3.1.9-6 -> 3.1.9-7)

This is, in my opinion, a very serious security issue.

What is your solution- current and for the future?

Re: Security Issue Masquaraded as Conflicting Packages (Could Not Satisfy Dep.)

Reply #1
Use Artix repositories, not Arch repositories or AUR. Only packages from Artix repositories are officially supported by Artix.

https://wiki.artixlinux.org/Main/Repositories

Update: There is no "kdeitinerary" package, neither in AUR, Artix nor Arch repositories.

Those other packages listed as "hidden" updates are not "hidden" in any way, but are currently fresh versions of those packages from Artix repositories. They are normally upgraded when you run pacman -Syu.

Re: Security Issue Masquaraded as Conflicting Packages (Could Not Satisfy Dep.)

Reply #2
And don't use pacman -Rdd !
You are telling pacman to remove the package and ignore any dependencies. Sooner or later something will break.

I've never had libphonenumber or itinerary (kdeitinerary does not exist ?) forced on me but it could be a Kmail thing ?

Re: Security Issue Masquaraded as Conflicting Packages (Could Not Satisfy Dep.)

Reply #3
This title and OP is borderline nonsensical but there is actually a real problem. It appears that libphonenumber was not propertly built against the newest version of boost.
 

Re: Security Issue Masquaraded as Conflicting Packages (Could Not Satisfy Dep.)

Reply #4
There was an issue with libphonenumber. This has been fixed, and it can be updated after the repo mirrors have synced.
artist