[Bug 1920724] Re: Upgrade focal/libjcat to version 0.1.3-2 and MIR it

Yuan-Chen Cheng 1920724 at bugs.launchpad.net
Tue Jul 20 13:45:34 UTC 2021 

per check history of fwupd 1.3.x in focal, we do have a change history that includes CVE-2020-10759
The logic in the CVE has been moved to jcat after fwupd 1.4.x. Given so it seems reasonable either to SRU jcat 0.1.3 with the patch for the CVE, or we include the patch to jcat 0.1.0 in focal.

Ref: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
Ref: https://github.com/hughsie/libjcat/commit/839b89f

Changelog in focal/fwupd 1.3.x

fwupd (1.3.9-4ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Signature verification bypass
    - debian/patches/CVE-2020-10759.patch: validate that
      gpgme_op_verify_result() returned at least one signature in
      src/fu-keyring-gpg.c.
    - CVE-2020-10759

 -- Leonidas S. Barbosa <leo.barbosa at canonical.com>  Tue, 09 Jun 2020
10:53:33 -0300

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1920724

Title:
  Upgrade focal/libjcat to version 0.1.3-2 and MIR it

Status in OEM Priority Project:
  In Progress
Status in libjcat package in Ubuntu:
  Fix Released
Status in libjcat source package in Focal:
  New

Bug description:
  [Impact]
  Needed for fwupd 1.5.11

  [Test plan]
  It has a test suite and fwupd uses it, so testing fwupd tests it to some extend

  [Where problems could occur]
  fwupd could break on regressions. Then again, this is a straight backport and it's fairly small.

  [Original report]

  per lp:1920723, we need to upgrade focal/lib cat to version 0.1.3-2
  (as in groovy/hirsute/impish) from version 0.1.0-2.

  libjcat in focal is in universe, we need to MIR it.

  ppa for upgrade libjcat in focal: https://launchpad.net/~ycheng-
  twn/+archive/ubuntu/fwupd1511

  [Availability]
  yes, it's in ubuntu universe.

  [Rationale]
  Given lp:1920723, we need to MIR it in focal.

  [Quality assurance]
  [Security]
  [Standards compliance]
  [Maintenance]

  Given it's in main in hirsute / groovy already, it's fine.

  [Dependencies]

  Per check, the dependency in groovy is exactly the same as in focal.

  [Background information]

  See details in lp:1934209

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1920724/+subscriptions

More information about the foundations-bugs mailing list