[Bug 2028548] [NEW] fwupd too old to get and install releases for UEFI dbx

[r5555]

Public bug reported:

This issue was found on Ubuntu 22.04 LTS jammy but affects all Ubuntu
releases where fwupd < 1.9.1.

When the package fwupd is installed, there is fwupd.service. According
to journalctl -u fwupd.service, it can't handle releases for the UEFI
dbx "device":

FuEngine             failed to get releases for UEFI dbx: No releases
found: Not compatible with org.freedesktop.fwupd version 1.7.9, requires
>= 1.9.1

UEFI dbx is the UEFI Secure Boot Forbidden Signature Database.

Downloading the CAB from
https://fwupd.org/lvfs/devices/org.linuxfoundation.dbx.x64.firmware and
trying to install it with the following command doesn't work either.

$ fwupdmgr install Downloads/fc3feb015df2710fcfa07583d31b5975ee398357016699cfff067f422ab91e13-DBXUpdate-20230509-x64.cab
Decompressing…           [***************************************]
Not compatible with org.freedesktop.fwupd version 1.7.9, requires >= 1.9.1

So the machine is potentially stuck on an outdated version of UEFI dbx
and vulnerable to CVE-2022-21894.

See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033936

** Affects: fwupd (Ubuntu)
     Importance: Undecided
         Status: New

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21894

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2028548

Title:
  fwupd too old to get and install releases for UEFI dbx

Status in fwupd package in Ubuntu:
  New

Bug description:
  This issue was found on Ubuntu 22.04 LTS jammy but affects all Ubuntu
  releases where fwupd < 1.9.1.

  When the package fwupd is installed, there is fwupd.service. According
  to journalctl -u fwupd.service, it can't handle releases for the UEFI
  dbx "device":

  FuEngine             failed to get releases for UEFI dbx: No releases
  found: Not compatible with org.freedesktop.fwupd version 1.7.9,
  requires >= 1.9.1

  UEFI dbx is the UEFI Secure Boot Forbidden Signature Database.

  Downloading the CAB from
  https://fwupd.org/lvfs/devices/org.linuxfoundation.dbx.x64.firmware
  and trying to install it with the following command doesn't work
  either.

  $ fwupdmgr install Downloads/fc3feb015df2710fcfa07583d31b5975ee398357016699cfff067f422ab91e13-DBXUpdate-20230509-x64.cab
  Decompressing…           [***************************************]
  Not compatible with org.freedesktop.fwupd version 1.7.9, requires >= 1.9.1

  So the machine is potentially stuck on an outdated version of UEFI dbx
  and vulnerable to CVE-2022-21894.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033936

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2028548/+subscriptions