Ubuntu
fwupd package

fwupd too old to get and install releases for UEFI dbx

Bug #2028548 reported by r5555
54
This bug affects 9 people
Affects Status Importance Assigned to Milestone
fwupd (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Triaged
Undecided
Unassigned
Jammy
Triaged
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned

Bug Description

This issue was found on Ubuntu 22.04 LTS jammy but affects all Ubuntu releases where fwupd < 1.9.1.

When the package fwupd is installed, there is fwupd.service. According to journalctl -u fwupd.service, it can't handle releases for the UEFI dbx "device":

FuEngine failed to get releases for UEFI dbx: No releases found: Not compatible with org.freedesktop.fwupd version 1.7.9, requires >= 1.9.1

UEFI dbx is the UEFI Secure Boot Forbidden Signature Database.

Downloading the CAB from https://fwupd.org/lvfs/devices/org.linuxfoundation.dbx.x64.firmware and trying to install it with the following command doesn't work either.

$ fwupdmgr install Downloads/fc3feb015df2710fcfa07583d31b5975ee398357016699cfff067f422ab91e13-DBXUpdate-20230509-x64.cab
Decompressing… [***************************************]
Not compatible with org.freedesktop.fwupd version 1.7.9, requires >= 1.9.1

So the machine is potentially stuck on an outdated version of UEFI dbx and vulnerable to CVE-2022-21894.

See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033936

CVE References

Mario Limonciello (superm1)
Changed in fwupd (Ubuntu Mantic):
status: New → Fix Committed
Changed in fwupd (Ubuntu Lunar):
status: New → Triaged
Changed in fwupd (Ubuntu Jammy):
status: New → Triaged
Changed in fwupd (Ubuntu Focal):
status: New → Triaged
Revision history for this message
Alan Baghumian (alanbach) wrote :

Is it possible to back-port this fix to Focal / Jammy? I understand we can manually carry a USB stick to the machine and get the updated BIOS firmware installed that way, but fwupdmgr is way more efficient :-D

Mario Limonciello (superm1)
Changed in fwupd (Ubuntu Mantic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 23.04 (Lunar Lobster) has reached end of life, so this bug will not be fixed for that specific release.

Changed in fwupd (Ubuntu Lunar):
status: Triaged → Won't Fix
Revision history for this message
kay (kay-diam) wrote :

When the fix is going to be released in Ubuntu Jammy 22.04?

Revision history for this message
Sameer Sharma (sameersharma2006) wrote :

I installed the snap variant and received the update, apt version doesn't provide updates but the snap one does.

` snap install fwupd `

Revision history for this message
Nicolae Crefelean (kneekoo) wrote :

Firmware updates are most of the time about security. I don't understand how this kind of software doesn't get updated in LTS releases as soon as possible. It doesn't matter how many people marked this issue as affecting them - obviously everyone not using Mantic are affected.

Where's the value of an LTS if you're vulnerable? Numbat is not even released at this time, so even the latest LTS is out of date. Please update this package for all supported LTS releases.

Revision history for this message
David Gibbs (david-midrange) wrote :

Not everyone can boot from a flash drive due to corporate restrictions.

Revision history for this message
Mario Limonciello (superm1) wrote :

I've uploaded a 1.9.16 fwupd and 0.3.18 libxmlb (build-dependency for fwpud 1.9.16) to the archive for an SRU team member to review. It should fall under https://launchpad.net/~superm1/+archive/ubuntu/uefi/+packages

I've got build logs and a diff of the uploads posted at this PPA as well:
https://launchpad.net/~superm1/+archive/ubuntu/uefi/+packages

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.