Summary: | <sys-apps/fwupd-1.3.10, <dev-libs/libjcat-0.1.3: Multiple vulnerabilities (CVE-2020-10759) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | gnome, polynomial-c |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md | ||
Whiteboard: | A1 [glsa+ cve] | ||
Package list: |
sys-apps/fwupd-1.3.10 amd64 x86
dev-util/umockdev-0.12.1 amd64 x86
app-crypt/tpm2-tss-2.4.1 amd64 x86
dev-libs/libxmlb-0.1.15 amd64 x86
dev-libs/libjcat-0.1.3 amd64 x86
|
Runtime testing required: | --- |
Bug Depends on: | 695758, 730396 | ||
Bug Blocks: |
Description
Sam James
2020-06-09 13:29:58 UTC
Please bump to 1.3.10/1.4.3. It seems 1.4.x is only vulnerable to the rollback issue. 1.3.x is vulenrable to the rollback issue and the core PGP problem. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4022f1d5b31959e5250665585eb9ba379502303a commit 4022f1d5b31959e5250665585eb9ba379502303a Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-15 11:36:21 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-15 11:38:05 +0000 sys-apps/fwupd: Security bump to versions 1.3.10 and 1.4.4 Bug: https://bugs.gentoo.org/727656 Closes: https://bugs.gentoo.org/705972 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/fwupd/Manifest | 2 + sys-apps/fwupd/fwupd-1.3.10.ebuild | 165 +++++++++++++++++++++++++++++++++++++ sys-apps/fwupd/fwupd-1.4.4.ebuild | 159 +++++++++++++++++++++++++++++++++++ 3 files changed, 326 insertions(+) Unable to check for sanity:
> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Unable to check for sanity:
> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Unable to check for sanity:
> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Sanity check failed:
> sys-apps/fwupd-1.3.10
> bdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> dev-util/umockdev
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> dev-util/umockdev
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=dev-libs/libxmlb-0.1.13
> app-crypt/tpm2-tss
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=dev-libs/libxmlb-0.1.13
> app-crypt/tpm2-tss
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=dev-libs/libxmlb-0.1.13
> app-crypt/tpm2-tss
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=dev-libs/libxmlb-0.1.13
> app-crypt/tpm2-tss
Sanity check failed:
> sys-apps/fwupd-1.4.2
> depend ~x86 stable profile default/linux/x86/17.0 (11 total)
> >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
> rdepend ~x86 stable profile default/linux/x86/17.0 (11 total)
> >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
> sys-apps/fwupd-1.4.4
> depend ~x86 stable profile default/linux/x86/17.0 (11 total)
> >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
> rdepend ~x86 stable profile default/linux/x86/17.0 (11 total)
> >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f1e7f636c3233efdff4102dec7595d08de5c45 commit 03f1e7f636c3233efdff4102dec7595d08de5c45 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-16 15:25:00 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-16 15:25:08 +0000 dev-libs/libjcat: Added ~x86 keyword Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libjcat/libjcat-0.1.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) @maintainer(s), we need to bump libjcat to 0.1.3 too, unfortunately. Description: "Version 0.1.3 ~~~~~~~~~~~~~ Released: 2020-06-16 New Features: - Export the JcatBlobKind and JcatBlobMethod on the result (Richard Hughes) Bugfixes: - Validate that gpgme_op_verify_result() returned at least one signature (Richard Hughes)" The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8f8cb09c14885ab7c89a5a4accba43e8dbe350d commit f8f8cb09c14885ab7c89a5a4accba43e8dbe350d Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-17 08:35:31 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-17 08:38:43 +0000 dev-libs/libjcat: Bump to version 0.1.3 Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libjcat/Manifest | 1 + dev-libs/libjcat/libjcat-0.1.3.ebuild | 65 +++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) Thanks! Let's try again :) Unable to check for sanity:
> no match for package: app-crypt/tpm2-tss-2.4.0
x86 stable amd64 ping amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. ping The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=198ef57fff74d669e4290954d229d6adf193c282 commit 198ef57fff74d669e4290954d229d6adf193c282 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-29 14:09:55 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-29 14:10:05 +0000 dev-libs/libjcat: Security cleanup Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libjcat/Manifest | 1 - dev-libs/libjcat/libjcat-0.1.2.ebuild | 65 ----------------------------------- 2 files changed, 66 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ce9ba4c9e139be0110a6801d941bd9ea5344ef2 commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-29 14:08:21 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-29 14:10:05 +0000 sys-apps/fwupd: Security cleanup Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/fwupd/Manifest | 1 - sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 ------------------------------------- sys-apps/fwupd/metadata.xml | 1 - 3 files changed, 146 deletions(-) commit 8c596c03338428080fb50327379d6819cc77fe62 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Jun 29 16:48:25 2020 Revert "sys-apps/fwupd: Security cleanup" This reverts commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2 which breaks revdeps on arm Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Now ready to cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a88e205cdd8fee42b1bd6ec59102c822772295e0 commit a88e205cdd8fee42b1bd6ec59102c822772295e0 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:09:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:50 +0000 sys-apps/fwupd: security cleanup Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/fwupd/Manifest | 1 - sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 ------------------------------------- sys-apps/fwupd/metadata.xml | 1 - 3 files changed, 146 deletions(-) How about cleanup old <dev-util/umockdev-0.12.1? This issue was resolved and addressed in GLSA 202007-04 at https://security.gentoo.org/glsa/202007-04 by GLSA coordinator Sam James (sam_c). (In reply to Andreas Sturmlechner from comment #22) > How about cleanup old <dev-util/umockdev-0.12.1? Reopening for cleanup. Apologies for forgetting CC. NOTE: Not vulnerable, just a new dep. (In reply to Andreas Sturmlechner from comment #22) > How about cleanup old <dev-util/umockdev-0.12.1? ping gnome If older umockdev isn't vulnerable, then I see no reason to deal with that on here. (In reply to Mart Raudsepp from comment #26) > If older umockdev isn't vulnerable, then I see no reason to deal with that > on here. It's not. Closing. |