fwupd does not properly validate PGP signatures. See URL for the full writeup. Patch: https://github.com/fwupd/fwupd/commit/21f2d12
Please bump to 1.3.10/1.4.3.
It seems 1.4.x is only vulnerable to the rollback issue. 1.3.x is vulenrable to the rollback issue and the core PGP problem.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4022f1d5b31959e5250665585eb9ba379502303a commit 4022f1d5b31959e5250665585eb9ba379502303a Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-15 11:36:21 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-15 11:38:05 +0000 sys-apps/fwupd: Security bump to versions 1.3.10 and 1.4.4 Bug: https://bugs.gentoo.org/727656 Closes: https://bugs.gentoo.org/705972 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/fwupd/Manifest | 2 + sys-apps/fwupd/fwupd-1.3.10.ebuild | 165 +++++++++++++++++++++++++++++++++++++ sys-apps/fwupd/fwupd-1.4.4.ebuild | 159 +++++++++++++++++++++++++++++++++++ 3 files changed, 326 insertions(+)
Unable to check for sanity: > package masked: sys-apps/fwupd-1.3.10, in all profiles for arch: x86
Sanity check failed: > sys-apps/fwupd-1.3.10 > bdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > dev-util/umockdev > bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > dev-util/umockdev > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=dev-libs/libxmlb-0.1.13 > app-crypt/tpm2-tss > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=dev-libs/libxmlb-0.1.13 > app-crypt/tpm2-tss > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=dev-libs/libxmlb-0.1.13 > app-crypt/tpm2-tss > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=dev-libs/libxmlb-0.1.13 > app-crypt/tpm2-tss
Sanity check failed: > sys-apps/fwupd-1.4.2 > depend ~x86 stable profile default/linux/x86/17.0 (11 total) > >=dev-libs/libjcat-0.1.0[gpg,pkcs7] > rdepend ~x86 stable profile default/linux/x86/17.0 (11 total) > >=dev-libs/libjcat-0.1.0[gpg,pkcs7] > sys-apps/fwupd-1.4.4 > depend ~x86 stable profile default/linux/x86/17.0 (11 total) > >=dev-libs/libjcat-0.1.0[gpg,pkcs7] > rdepend ~x86 stable profile default/linux/x86/17.0 (11 total) > >=dev-libs/libjcat-0.1.0[gpg,pkcs7]
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f1e7f636c3233efdff4102dec7595d08de5c45 commit 03f1e7f636c3233efdff4102dec7595d08de5c45 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-16 15:25:00 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-16 15:25:08 +0000 dev-libs/libjcat: Added ~x86 keyword Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libjcat/libjcat-0.1.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
@maintainer(s), we need to bump libjcat to 0.1.3 too, unfortunately. Description: "Version 0.1.3 ~~~~~~~~~~~~~ Released: 2020-06-16 New Features: - Export the JcatBlobKind and JcatBlobMethod on the result (Richard Hughes) Bugfixes: - Validate that gpgme_op_verify_result() returned at least one signature (Richard Hughes)"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8f8cb09c14885ab7c89a5a4accba43e8dbe350d commit f8f8cb09c14885ab7c89a5a4accba43e8dbe350d Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-17 08:35:31 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-17 08:38:43 +0000 dev-libs/libjcat: Bump to version 0.1.3 Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libjcat/Manifest | 1 + dev-libs/libjcat/libjcat-0.1.3.ebuild | 65 +++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+)
Thanks! Let's try again :)
Unable to check for sanity: > no match for package: app-crypt/tpm2-tss-2.4.0
x86 stable
amd64 ping
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=198ef57fff74d669e4290954d229d6adf193c282 commit 198ef57fff74d669e4290954d229d6adf193c282 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-29 14:09:55 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-29 14:10:05 +0000 dev-libs/libjcat: Security cleanup Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libjcat/Manifest | 1 - dev-libs/libjcat/libjcat-0.1.2.ebuild | 65 ----------------------------------- 2 files changed, 66 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ce9ba4c9e139be0110a6801d941bd9ea5344ef2 commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-29 14:08:21 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-29 14:10:05 +0000 sys-apps/fwupd: Security cleanup Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/fwupd/Manifest | 1 - sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 ------------------------------------- sys-apps/fwupd/metadata.xml | 1 - 3 files changed, 146 deletions(-)
commit 8c596c03338428080fb50327379d6819cc77fe62 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Jun 29 16:48:25 2020 Revert "sys-apps/fwupd: Security cleanup" This reverts commit 1ce9ba4c9e139be0110a6801d941bd9ea5344ef2 which breaks revdeps on arm Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Now ready to cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a88e205cdd8fee42b1bd6ec59102c822772295e0 commit a88e205cdd8fee42b1bd6ec59102c822772295e0 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:09:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:50 +0000 sys-apps/fwupd: security cleanup Bug: https://bugs.gentoo.org/727656 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/fwupd/Manifest | 1 - sys-apps/fwupd/fwupd-1.2.11.ebuild | 144 ------------------------------------- sys-apps/fwupd/metadata.xml | 1 - 3 files changed, 146 deletions(-)
How about cleanup old <dev-util/umockdev-0.12.1?
This issue was resolved and addressed in GLSA 202007-04 at https://security.gentoo.org/glsa/202007-04 by GLSA coordinator Sam James (sam_c).
(In reply to Andreas Sturmlechner from comment #22) > How about cleanup old <dev-util/umockdev-0.12.1? Reopening for cleanup. Apologies for forgetting CC. NOTE: Not vulnerable, just a new dep.
(In reply to Andreas Sturmlechner from comment #22) > How about cleanup old <dev-util/umockdev-0.12.1? ping gnome
If older umockdev isn't vulnerable, then I see no reason to deal with that on here.
(In reply to Mart Raudsepp from comment #26) > If older umockdev isn't vulnerable, then I see no reason to deal with that > on here. It's not. Closing.