Bug 26854

Assigning this to ThierryV, the registered & most recent maintainer.

Assignee: bugsquad => thierry.vignaud

Fedora has issued an advisory for this on June 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BNDDC3NKYZYRZX3NJVCQ32ANXOXP3KDE/

RedHat has issued an advisory for this on November 3:
https://access.redhat.com/errata/RHSA-2020:4436

fix pushed into mga7

src:
    - fwupd-1.2.8-1.1.mga7

CC: (none) => mageia
Assignee: thierry.vignaud => qa-bugs
Status comment: Patch available from upstream and Fedora => (none)

Advisory:
========================

Updated fwupd package fixes security vulnerability:

A PGP signature bypass was found in fwupd, which could lead to possible
installation of unsigned firmware (CVE-2020-10759).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10759
https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
https://lists.opensuse.org/opensuse-updates/2020-06/msg00092.html
========================

Updated packages in core/updates_testing:
========================
fwupd-1.2.8-1.1.mga7
libfwupd0-1.2.8-1.1.mga7
libfwupd-devel-1.2.8-1.1.mga7
fwupd-tests-1.2.8-1.1.mga7

from fwupd-1.2.8-1.1.mga7.src.rpm

a quick look at urpmq --whatrequires fwupd showed two apps: KDE Discovery, and Gnome Software. So I installed Discovery in a vbox M7 guest, which brought in fwupd and some other dependencies. I tried running Discovery before going after the updates, and "discovered" that it has other issues that are probably unrelated to this bug. So no help there when it came to testing.

Then came the "Duh" moment, and I installed fwupd-tests. Then got the updates, with no installation issues. Running the fwupdmgr test, I get this:

# cd /usr/share/installed-tests/fwupd/
# sh fwupdmgr.sh
Getting the list of remotes...
Remote ID:               lvfs-testing
Title:                   Linux Vendor Firmware Service (testing)
Type:                    download
Keyring:                 gpg
Enabled:                 false
Priority:                1
Filename:                /var/lib/fwupd/remotes.d/lvfs-testing/metadata.xml.gz
Filename Signature:      /var/lib/fwupd/remotes.d/lvfs-testing/metadata.xml.gz.asc
Metadata URI:            https://cdn.fwupd.org/downloads/firmware-testing.xml.gz
Metadata URI Signature:  https://cdn.fwupd.org/downloads/firmware-testing.xml.gz.asc
Report URI:              https://fwupd.org/lvfs/firmware/report

Remote ID:               dell-esrt
Title:                   Enable UEFI capsule updates on Dell systems
Type:                    local
Keyring:                 none
Enabled:                 true
Filename:                /usr/share/fwupd/remotes.d/dell-esrt/metadata.xml

Remote ID:               fwupd-tests
Title:                   fwupd test suite
Type:                    local
Keyring:                 none
Enabled:                 true
Filename:                /usr/share/installed-tests/fwupd/fwupd-tests.xml

Remote ID:               lvfs
Title:                   Linux Vendor Firmware Service
Type:                    download
Keyring:                 gpg
Enabled:                 true
Checksum:                79c42128d814d250de05a0462ae85a58b6d9d66cb9a6bea38c008f08ae052471
Age:                     2.27h
Filename:                /var/lib/fwupd/remotes.d/lvfs/metadata.xml.gz
Filename Signature:      /var/lib/fwupd/remotes.d/lvfs/metadata.xml.gz.asc
Metadata URI:            https://cdn.fwupd.org/downloads/firmware.xml.gz
Metadata URI Signature:  https://cdn.fwupd.org/downloads/firmware.xml.gz.asc
Report URI:              https://fwupd.org/lvfs/firmware/report

Remote ID:               vendor
Title:                   Vendor
Type:                    local
Keyring:                 none
Enabled:                 false
Filename:                /usr/share/fwupd/remotes.d/vendor/vendor.xml.gz

Remote ID:               vendor-directory
Title:                   Vendor (Automatic)
Type:                    directory
Keyring:                 none
Enabled:                 false
Filename:                /usr/share/fwupd/remotes.d/vendor/firmware
Enabling fwupd-tests remote...
Update the device hash database...
Authenticating…          [***************************************]
91aa017c-1109-5d75-9d1a-ab2f38481f92    FAILED: failed to verify using udev: Error reading from file: Input/output error
Getting devices (should be one)...
Testing the verification of firmware...
91aa017c-1109-5d75-9d1a-ab2f38481f92    FAILED: failed to verify using udev: Error reading from file: Input/output error
Getting updates (should be one)...
Installing test firmware...
Decompressing…           [***************************************]
No supported devices found

I haven't found any documentation on the test itself, and it doesn't look like it tests for the CVE, but these results, as far as they go, look OK to me. 

OK for mga7-64. Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0158.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED