Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727656 (CVE-2020-10759) - <sys-apps/fwupd-1.3.10, <dev-libs/libjcat-0.1.3: Multiple vulnerabilities (CVE-2020-10759)
Summary: <sys-apps/fwupd-1.3.10, <dev-libs/libjcat-0.1.3: Multiple vulnerabilities (CV...
Status: RESOLVED FIXED
Alias: CVE-2020-10759
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Security
URL: https://github.com/justinsteven/advis...
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on: 695758 730396
Blocks:
  Show dependency tree
 
Reported: 2020-06-09 13:29 UTC by Sam James
Modified: 2020-08-15 06:20 UTC (History)
2 users (show)

See Also:
Package list:
sys-apps/fwupd-1.3.10 amd64 x86 dev-util/umockdev-0.12.1 amd64 x86 app-crypt/tpm2-tss-2.4.1 amd64 x86 dev-libs/libxmlb-0.1.15 amd64 x86 dev-libs/libjcat-0.1.3 amd64 x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:29:58 UTC 
fwupd does not properly validate PGP signatures. See URL for the full writeup.

Patch: https://github.com/fwupd/fwupd/commit/21f2d12
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:31:21 UTC 
Please bump to 1.3.10/1.4.3.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:34:14 UTC 
It seems 1.4.x is only vulnerable to the rollback issue. 1.3.x is vulenrable to the rollback issue and the core PGP problem.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-15 11:38:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4022f1d5b31959e5250665585eb9ba379502303a

commit 4022f1d5b31959e5250665585eb9ba379502303a
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-15 11:36:21 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-15 11:38:05 +0000

    sys-apps/fwupd: Security bump to versions 1.3.10 and 1.4.4
    
    Bug: https://bugs.gentoo.org/727656
    Closes: https://bugs.gentoo.org/705972
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/fwupd/Manifest            |   2 +
 sys-apps/fwupd/fwupd-1.3.10.ebuild | 165 +++++++++++++++++++++++++++++++++++++
 sys-apps/fwupd/fwupd-1.4.4.ebuild  | 159 +++++++++++++++++++++++++++++++++++
 3 files changed, 326 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2020-06-15 11:40:28 UTC 
Unable to check for sanity:

> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Comment 5 NATTkA bot gentoo-dev 2020-06-15 13:36:26 UTC 
Unable to check for sanity:

> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Comment 6 NATTkA bot gentoo-dev 2020-06-16 13:16:28 UTC 
Unable to check for sanity:

> package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Comment 7 NATTkA bot gentoo-dev 2020-06-16 14:40:34 UTC 
Sanity check failed:

> sys-apps/fwupd-1.3.10
>   bdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     dev-util/umockdev
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     dev-util/umockdev
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=dev-libs/libxmlb-0.1.13
>     app-crypt/tpm2-tss
Comment 8 NATTkA bot gentoo-dev 2020-06-16 14:48:34 UTC 
Sanity check failed:

> sys-apps/fwupd-1.4.2
>   depend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
>   rdepend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
> sys-apps/fwupd-1.4.4
>   depend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
>   rdepend ~x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
Comment 9 Larry the Git Cow gentoo-dev 2020-06-16 15:25:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f1e7f636c3233efdff4102dec7595d08de5c45

commit 03f1e7f636c3233efdff4102dec7595d08de5c45
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-16 15:25:00 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-16 15:25:08 +0000

    dev-libs/libjcat: Added ~x86 keyword
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libjcat/libjcat-0.1.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-16 22:32:38 UTC 
@maintainer(s), we need to bump libjcat to 0.1.3 too, unfortunately.

Description:
"Version 0.1.3
~~~~~~~~~~~~~
Released: 2020-06-16

New Features:
 - Export the JcatBlobKind and JcatBlobMethod on the result (Richard Hughes)

Bugfixes:
 - Validate that gpgme_op_verify_result() returned at least one signature (Richard Hughes)"
Comment 11 Larry the Git Cow gentoo-dev 2020-06-17 08:38:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8f8cb09c14885ab7c89a5a4accba43e8dbe350d

commit f8f8cb09c14885ab7c89a5a4accba43e8dbe350d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-17 08:35:31 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-17 08:38:43 +0000

    dev-libs/libjcat: Bump to version 0.1.3
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libjcat/Manifest             |  1 +
 dev-libs/libjcat/libjcat-0.1.3.ebuild | 65 +++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 13:27:20 UTC 
Thanks! Let's try again :)
Comment 13 NATTkA bot gentoo-dev 2020-06-17 17:04:30 UTC 
Unable to check for sanity:

> no match for package: app-crypt/tpm2-tss-2.4.0
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:49:37 UTC 
x86 stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 00:41:27 UTC 
amd64 ping
Comment 16 Agostino Sarubbo gentoo-dev 2020-06-25 07:02:02 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 00:14:48 UTC 
ping
Comment 18 Larry the Git Cow gentoo-dev 2020-06-29 14:10:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=198ef57fff74d669e4290954d229d6adf193c282

commit 198ef57fff74d669e4290954d229d6adf193c282
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-29 14:09:55 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-29 14:10:05 +0000

    dev-libs/libjcat: Security cleanup
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libjcat/Manifest             |  1 -
 dev-libs/libjcat/libjcat-0.1.2.ebuild | 65 -----------------------------------
 2 files changed, 66 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ce9ba4c9e139be0110a6801d941bd9ea5344ef2

commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-29 14:08:21 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-29 14:10:05 +0000

    sys-apps/fwupd: Security cleanup
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/fwupd/Manifest            |   1 -
 sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 -------------------------------------
 sys-apps/fwupd/metadata.xml        |   1 -
 3 files changed, 146 deletions(-)
Comment 19 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-06-29 14:49:48 UTC 
commit 8c596c03338428080fb50327379d6819cc77fe62
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Jun 29 16:48:25 2020

    Revert "sys-apps/fwupd: Security cleanup"

    This reverts commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2
    which breaks revdeps on arm

    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 20:36:50 UTC 
Now ready to cleanup.
Comment 21 Larry the Git Cow gentoo-dev 2020-07-18 00:01:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a88e205cdd8fee42b1bd6ec59102c822772295e0

commit a88e205cdd8fee42b1bd6ec59102c822772295e0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:09:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:50 +0000

    sys-apps/fwupd: security cleanup
    
    Bug: https://bugs.gentoo.org/727656
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/fwupd/Manifest            |   1 -
 sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 -------------------------------------
 sys-apps/fwupd/metadata.xml        |   1 -
 3 files changed, 146 deletions(-)
Comment 22 Andreas Sturmlechner gentoo-dev 2020-07-26 23:22:03 UTC 
How about cleanup old <dev-util/umockdev-0.12.1?
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 23:29:23 UTC 
This issue was resolved and addressed in
 GLSA 202007-04 at https://security.gentoo.org/glsa/202007-04
by GLSA coordinator Sam James (sam_c).
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 01:11:54 UTC 
(In reply to Andreas Sturmlechner from comment #22)
> How about cleanup old <dev-util/umockdev-0.12.1?

Reopening for cleanup. Apologies for forgetting CC.

NOTE: Not vulnerable, just a new dep.
Comment 25 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 02:34:06 UTC 
(In reply to Andreas Sturmlechner from comment #22)
> How about cleanup old <dev-util/umockdev-0.12.1?

ping gnome
Comment 26 Mart Raudsepp gentoo-dev 2020-08-15 06:17:37 UTC 
If older umockdev isn't vulnerable, then I see no reason to deal with that on here.
Comment 27 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 06:20:45 UTC 
(In reply to Mart Raudsepp from comment #26)
> If older umockdev isn't vulnerable, then I see no reason to deal with that
> on here.

It's not. Closing.