Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 727656 (CVE-2020-10759)

Summary: <sys-apps/fwupd-1.3.10, <dev-libs/libjcat-0.1.3: Multiple vulnerabilities (CVE-2020-10759)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: gnome, polynomial-c
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
Whiteboard: A1 [glsa+ cve]
Package list:
sys-apps/fwupd-1.3.10 amd64 x86 dev-util/umockdev-0.12.1 amd64 x86 app-crypt/tpm2-tss-2.4.1 amd64 x86 dev-libs/libxmlb-0.1.15 amd64 x86 dev-libs/libjcat-0.1.3 amd64 x86
Runtime testing required: ---
Bug Depends on: 695758, 730396    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:29:58 UTC
fwupd does not properly validate PGP signatures. See URL for the full writeup.

Patch: https://github.com/fwupd/fwupd/commit/21f2d12
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:31:21 UTC
Please bump to 1.3.10/1.4.3.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:34:14 UTC
It seems 1.4.x is only vulnerable to the rollback issue. 1.3.x is vulenrable to the rollback issue and the core PGP problem.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-15 11:38:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4022f1d5b31959e5250665585eb9ba379502303a

commit 4022f1d5b31959e5250665585eb9ba379502303a
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-15 11:36:21 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-15 11:38:05 +0000

    sys-apps/fwupd: Security bump to versions 1.3.10 and 1.4.4
    
    Bug: https://bugs.gentoo.org/727656
    Closes: https://bugs.gentoo.org/705972
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/fwupd/Manifest            |   2 +
 sys-apps/fwupd/fwupd-1.3.10.ebuild | 165 +++++++++++++++++++++++++++++++++++++
 sys-apps/fwupd/fwupd-1.4.4.ebuild  | 159 +++++++++++++++++++++++++++++++++++
 3 files changed, 326 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2020-06-15 11:40:28 UTC
Unable to check for sanity:

> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Comment 5 NATTkA bot gentoo-dev 2020-06-15 13:36:26 UTC
Unable to check for sanity:

> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Comment 6 NATTkA bot gentoo-dev 2020-06-16 13:16:28 UTC
Unable to check for sanity:

> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Comment 7 NATTkA bot gentoo-dev 2020-06-16 14:40:34 UTC
Sanity check failed:

> sys-apps/fwupd-1.3.10
>   bdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     dev-util/umockdev
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     dev-util/umockdev
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
Comment 8 NATTkA bot gentoo-dev 2020-06-16 14:48:34 UTC
Sanity check failed:

> sys-apps/fwupd-1.4.2
>   depend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
>   rdepend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
> sys-apps/fwupd-1.4.4
>   depend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
>   rdepend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
Comment 9 Larry the Git Cow gentoo-dev 2020-06-16 15:25:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f1e7f636c3233efdff4102dec7595d08de5c45

commit 03f1e7f636c3233efdff4102dec7595d08de5c45
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-16 15:25:00 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-16 15:25:08 +0000

    dev-libs/libjcat: Added ~x86 keyword
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libjcat/libjcat-0.1.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-16 22:32:38 UTC
@maintainer(s), we need to bump libjcat to 0.1.3 too, unfortunately.

Description:
"Version 0.1.3
~~~~~~~~~~~~~
Released: 2020-06-16

New Features:
 - Export the JcatBlobKind and JcatBlobMethod on the result (Richard Hughes)

Bugfixes:
 - Validate that gpgme_op_verify_result() returned at least one signature (Richard Hughes)"
Comment 11 Larry the Git Cow gentoo-dev 2020-06-17 08:38:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8f8cb09c14885ab7c89a5a4accba43e8dbe350d

commit f8f8cb09c14885ab7c89a5a4accba43e8dbe350d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-17 08:35:31 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-17 08:38:43 +0000

    dev-libs/libjcat: Bump to version 0.1.3
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libjcat/Manifest             |  1 +
 dev-libs/libjcat/libjcat-0.1.3.ebuild | 65 +++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 13:27:20 UTC
Thanks! Let's try again :)
Comment 13 NATTkA bot gentoo-dev 2020-06-17 17:04:30 UTC
Unable to check for sanity:

> no match for package: app-crypt/tpm2-tss-2.4.0
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:49:37 UTC
x86 stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 00:41:27 UTC
amd64 ping
Comment 16 Agostino Sarubbo gentoo-dev 2020-06-25 07:02:02 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 00:14:48 UTC
ping
Comment 18 Larry the Git Cow gentoo-dev 2020-06-29 14:10:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=198ef57fff74d669e4290954d229d6adf193c282

commit 198ef57fff74d669e4290954d229d6adf193c282
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-29 14:09:55 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-29 14:10:05 +0000

    dev-libs/libjcat: Security cleanup
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libjcat/Manifest             |  1 -
 dev-libs/libjcat/libjcat-0.1.2.ebuild | 65 -----------------------------------
 2 files changed, 66 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ce9ba4c9e139be0110a6801d941bd9ea5344ef2

commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-29 14:08:21 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-29 14:10:05 +0000

    sys-apps/fwupd: Security cleanup
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/fwupd/Manifest            |   1 -
 sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 -------------------------------------
 sys-apps/fwupd/metadata.xml        |   1 -
 3 files changed, 146 deletions(-)
Comment 19 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-06-29 14:49:48 UTC
commit 8c596c03338428080fb50327379d6819cc77fe62
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Jun 29 16:48:25 2020

    Revert "sys-apps/fwupd: Security cleanup"

    This reverts commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2
    which breaks revdeps on arm

    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 20:36:50 UTC
Now ready to cleanup.
Comment 21 Larry the Git Cow gentoo-dev 2020-07-18 00:01:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a88e205cdd8fee42b1bd6ec59102c822772295e0

commit a88e205cdd8fee42b1bd6ec59102c822772295e0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:09:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:50 +0000

    sys-apps/fwupd: security cleanup
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/fwupd/Manifest            |   1 -
 sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 -------------------------------------
 sys-apps/fwupd/metadata.xml        |   1 -
 3 files changed, 146 deletions(-)
Comment 22 Andreas Sturmlechner gentoo-dev 2020-07-26 23:22:03 UTC
How about cleanup old <dev-util/umockdev-0.12.1?
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 23:29:23 UTC
This issue was resolved and addressed in
 GLSA 202007-04 at https://security.gentoo.org/glsa/202007-04
by GLSA coordinator Sam James (sam_c).
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 01:11:54 UTC
(In reply to Andreas Sturmlechner from comment #22)
> How about cleanup old <dev-util/umockdev-0.12.1?

Reopening for cleanup. Apologies for forgetting CC.

NOTE: Not vulnerable, just a new dep.
Comment 25 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 02:34:06 UTC
(In reply to Andreas Sturmlechner from comment #22)
> How about cleanup old <dev-util/umockdev-0.12.1?

ping gnome
Comment 26 Mart Raudsepp gentoo-dev 2020-08-15 06:17:37 UTC
If older umockdev isn't vulnerable, then I see no reason to deal with that on here.
Comment 27 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 06:20:45 UTC
(In reply to Mart Raudsepp from comment #26)
> If older umockdev isn't vulnerable, then I see no reason to deal with that
> on here.

It's not. Closing.