Launchpad.net

CVE 2020-10759

A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.

Related bugs and status

CVE-2020-10759 (Candidate) is related to these bugs:

Bug #1858590: fwupdaa64.efi crashes on startup

		In	Importance	Status
1858590	fwupdaa64.efi crashes on startup	fwupd (Ubuntu)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd (Ubuntu Focal)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd (Ubuntu Bionic)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd (Ubuntu Eoan)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd-signed (Ubuntu)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd-signed (Ubuntu Bionic)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd-signed (Ubuntu Eoan)	Undecided	Fix Released
1858590	fwupdaa64.efi crashes on startup	fwupd-signed (Ubuntu Focal)	Undecided	Fix Released

Bug #1883568: Update focal fwupd to 1.3.11 point release

		In	Importance	Status
1883568	Update focal fwupd to 1.3.11 point release	fwupd (Ubuntu)	Undecided	Fix Released
1883568	Update focal fwupd to 1.3.11 point release	fwupd-signed (Ubuntu)	Undecided	Fix Released
1883568	Update focal fwupd to 1.3.11 point release	OEM Priority Project	High	Fix Released
1883568	Update focal fwupd to 1.3.11 point release	fwupd (Ubuntu Focal)	Undecided	Fix Released
1883568	Update focal fwupd to 1.3.11 point release	fwupd-signed (Ubuntu Focal)	Undecided	Fix Released

Bug #1884003: [MIR] libjcat

Summary				In	Importance	Status
	1884003	[MIR] libjcat		libjcat (Ubuntu)	Undecided	Fix Released

Bug #1884788: Update bionic to the fwupd 1.2.14 release

		In	Importance	Status
1884788	Update bionic to the fwupd 1.2.14 release	fwupd (Ubuntu)	Medium	Fix Released
1884788	Update bionic to the fwupd 1.2.14 release	fwupd (Ubuntu Bionic)	Medium	Fix Released
1884788	Update bionic to the fwupd 1.2.14 release	fwupd-signed (Ubuntu)	Medium	Fix Released
1884788	Update bionic to the fwupd 1.2.14 release	fwupd-signed (Ubuntu Bionic)	Medium	Fix Released
1884788	Update bionic to the fwupd 1.2.14 release	fwupd (Ubuntu Eoan)	Medium	Won't Fix
1884788	Update bionic to the fwupd 1.2.14 release	fwupd-signed (Ubuntu Eoan)	Medium	Won't Fix
1884788	Update bionic to the fwupd 1.2.14 release	OEM Priority Project	Medium	Fix Released

Bug #1920724: Upgrade focal/libjcat to version 0.1.3-2 and MIR it

		In	Importance	Status
1920724	Upgrade focal/libjcat to version 0.1.3-2 and MIR it	OEM Priority Project	Critical	Fix Released
1920724	Upgrade focal/libjcat to version 0.1.3-2 and MIR it	libjcat (Ubuntu)	Undecided	Fix Released
1920724	Upgrade focal/libjcat to version 0.1.3-2 and MIR it	libjcat (Ubuntu Focal)	Undecided	Fix Released

Bug #1921539: Add support for SBAT

		In	Importance	Status
1921539	Add support for SBAT	fwupd (Ubuntu)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd (Ubuntu Groovy)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd (Ubuntu Focal)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd (Ubuntu Bionic)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd (Ubuntu Hirsute)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd-signed (Ubuntu)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd-signed (Ubuntu Bionic)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd-signed (Ubuntu Focal)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd-signed (Ubuntu Groovy)	Undecided	Fix Released
1921539	Add support for SBAT	fwupd-signed (Ubuntu Hirsute)	Undecided	Fix Released
1921539	Add support for SBAT	OEM Priority Project	High	Fix Released

Bug #1921544: [bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures

		In	Importance	Status
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd-signed (Ubuntu)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd-signed (Ubuntu Focal)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd-signed (Ubuntu Groovy)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd-signed (Ubuntu Bionic)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd (Ubuntu)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd (Ubuntu Bionic)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd (Ubuntu Focal)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	fwupd (Ubuntu Groovy)	Undecided	Fix Released
1921544	[bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures	OEM Priority Project	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://bugzilla.redha...
MISC: https://github.com/jus...