openSUSE has issued an advisory today (June 23): https://lists.opensuse.org/opensuse-updates/2020-06/msg00092.html The upstream advisory references a commit that fixed the issue: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
Assigning this to ThierryV, the registered & most recent maintainer.
Assignee: bugsquad => thierry.vignaud
Fedora has issued an advisory for this on June 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BNDDC3NKYZYRZX3NJVCQ32ANXOXP3KDE/
RedHat has issued an advisory for this on November 3: https://access.redhat.com/errata/RHSA-2020:4436
Status comment: (none) => Patch available from upstream and Fedora
fix pushed into mga7 src: - fwupd-1.2.8-1.1.mga7
CC: (none) => mageiaAssignee: thierry.vignaud => qa-bugsStatus comment: Patch available from upstream and Fedora => (none)
Advisory: ======================== Updated fwupd package fixes security vulnerability: A PGP signature bypass was found in fwupd, which could lead to possible installation of unsigned firmware (CVE-2020-10759). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10759 https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md https://lists.opensuse.org/opensuse-updates/2020-06/msg00092.html ======================== Updated packages in core/updates_testing: ======================== fwupd-1.2.8-1.1.mga7 libfwupd0-1.2.8-1.1.mga7 libfwupd-devel-1.2.8-1.1.mga7 fwupd-tests-1.2.8-1.1.mga7 from fwupd-1.2.8-1.1.mga7.src.rpm
a quick look at urpmq --whatrequires fwupd showed two apps: KDE Discovery, and Gnome Software. So I installed Discovery in a vbox M7 guest, which brought in fwupd and some other dependencies. I tried running Discovery before going after the updates, and "discovered" that it has other issues that are probably unrelated to this bug. So no help there when it came to testing. Then came the "Duh" moment, and I installed fwupd-tests. Then got the updates, with no installation issues. Running the fwupdmgr test, I get this: # cd /usr/share/installed-tests/fwupd/ # sh fwupdmgr.sh Getting the list of remotes... Remote ID: lvfs-testing Title: Linux Vendor Firmware Service (testing) Type: download Keyring: gpg Enabled: false Priority: 1 Filename: /var/lib/fwupd/remotes.d/lvfs-testing/metadata.xml.gz Filename Signature: /var/lib/fwupd/remotes.d/lvfs-testing/metadata.xml.gz.asc Metadata URI: https://cdn.fwupd.org/downloads/firmware-testing.xml.gz Metadata URI Signature: https://cdn.fwupd.org/downloads/firmware-testing.xml.gz.asc Report URI: https://fwupd.org/lvfs/firmware/report Remote ID: dell-esrt Title: Enable UEFI capsule updates on Dell systems Type: local Keyring: none Enabled: true Filename: /usr/share/fwupd/remotes.d/dell-esrt/metadata.xml Remote ID: fwupd-tests Title: fwupd test suite Type: local Keyring: none Enabled: true Filename: /usr/share/installed-tests/fwupd/fwupd-tests.xml Remote ID: lvfs Title: Linux Vendor Firmware Service Type: download Keyring: gpg Enabled: true Checksum: 79c42128d814d250de05a0462ae85a58b6d9d66cb9a6bea38c008f08ae052471 Age: 2.27h Filename: /var/lib/fwupd/remotes.d/lvfs/metadata.xml.gz Filename Signature: /var/lib/fwupd/remotes.d/lvfs/metadata.xml.gz.asc Metadata URI: https://cdn.fwupd.org/downloads/firmware.xml.gz Metadata URI Signature: https://cdn.fwupd.org/downloads/firmware.xml.gz.asc Report URI: https://fwupd.org/lvfs/firmware/report Remote ID: vendor Title: Vendor Type: local Keyring: none Enabled: false Filename: /usr/share/fwupd/remotes.d/vendor/vendor.xml.gz Remote ID: vendor-directory Title: Vendor (Automatic) Type: directory Keyring: none Enabled: false Filename: /usr/share/fwupd/remotes.d/vendor/firmware Enabling fwupd-tests remote... Update the device hash database... Authenticating… [***************************************] 91aa017c-1109-5d75-9d1a-ab2f38481f92 FAILED: failed to verify using udev: Error reading from file: Input/output error Getting devices (should be one)... Testing the verification of firmware... 91aa017c-1109-5d75-9d1a-ab2f38481f92 FAILED: failed to verify using udev: Error reading from file: Input/output error Getting updates (should be one)... Installing test firmware... Decompressing… [***************************************] No supported devices found I haven't found any documentation on the test itself, and it doesn't look like it tests for the CVE, but these results, as far as they go, look OK to me. OK for mga7-64. Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
CVE: (none) => CVE-2020-10759CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0158.html
Status: NEW => RESOLVEDResolution: (none) => FIXED