Upgrade focal/libjcat to version 0.1.3-2 and MIR it

fwupd actually built fine without new libjcat, so not sure if we actually need to upgrade it. Arguably there seems to be a CVE in the old version and a couple of bug fixes that might be worthwhile anyway.

background:
- the CVE involved seems to be an low impact one [1]
- we never use fwupd + jcat 0.1.0-2 in any ubuntu release. given there
  are some other changes between 0.1.0 and 0.1.3, it's harder for us
  to tell if testing coverage is good enough or not given we didn't involve
  those signing designs and processes in lvfs.

[1] https://www.cvedetails.com/cve-details.php?cve_id=CVE-2020-10759

per check history of fwupd 1.3.x in focal, we do have a change history that includes CVE-2020-10759
The logic in the CVE has been moved to jcat after fwupd 1.4.x. Given so it seems reasonable either to SRU jcat 0.1.3 with the patch for the CVE, or we include the patch to jcat 0.1.0 in focal.

Ref: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
Ref: https://github.com/hughsie/libjcat/commit/839b89f

Changelog in focal/fwupd 1.3.x

fwupd (1.3.9-4ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Signature verification bypass
    - debian/patches/CVE-2020-10759.patch: validate that
      gpgme_op_verify_result() returned at least one signature in
      src/fu-keyring-gpg.c.
    - CVE-2020-10759

 -- Leonidas S. Barbosa <email address hidden> Tue, 09 Jun 2020 10:53:33 -0300

Ok, when I started writing this comment I actually changed my mind. So orignally I thought we should just cherry-pick the fix, but seeing that we now ACTUALLY have jcat in main (probably because of fwupd?), maybe we should just backport 0.1.3-2 and get it promoted.

That being said, I think the security team needs to chip in here. Since this is a security fix, I think they are the ones deciding in the end. Could we get someone from security for this one?

That being said, how is actually libjcat used by fwupd? I tried running reverse depends on both impish and focal for jcat and saw no dependency. Will we need to have it in main? If yes, if we backport the 0.1.3 version, we could just promote it into main as-is probably (after a quick dependency check etc.).

On impish:
$ apt-cache rdepends libjcat1
libjcat1
Reverse Depends:
  ...
  fwupd
  ...

It will be similar on focal if the fwupd in the proposed channel is installed.

root@focal:~# reverse-depends libjcat1
Reverse-Depends
* fwupd
* gir1.2-jcat-1.0
* jcat
* libfwupd2
* libfwupdplugin1
* libjcat-dev
* libjcat-tests

I don't have a strong opinion on whether backporting just the CVE fix or doing a wholesale backport of 0.1.3-2 is the better option - it depends on how likely the 0.1.3-2 backport is to cause some regression - the CVE fix itself looks pretty self-contained in https://github.com/hughsie/libjcat/commit/839b89f so I don't think that is likely to cause any issues itself, however there is potentially a regression risk with sticking with libjcat 0.1.0 combined with a newer fwupd too so either way this will need good testing to ensure the risk of regression is minimised. Given this, perhaps the better option is to just backport 0.1.3-2 as we have evidence that this works well with fwupd 1.5.11 in impish.

Not a big fan of the debian/changelog entry selected, but I think it'll do.

Hello Yuan-Chen, or anyone else affected,

Accepted libjcat into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libjcat/0.1.3-2~ubuntu20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Thank you, I'll follow up the verification part.

In the meantime, since the security team is aware, I have promoted the packages in focal-proposed to main:

Override component to main
libjcat 0.1.3-2~ubuntu20.04.1 in focal: universe/misc -> main
gir1.2-jcat-1.0 0.1.3-2~ubuntu20.04.1 in focal amd64: universe/introspection/optional/100% -> main
gir1.2-jcat-1.0 0.1.3-2~ubuntu20.04.1 in focal arm64: universe/introspection/optional/100% -> main
gir1.2-jcat-1.0 0.1.3-2~ubuntu20.04.1 in focal armhf: universe/introspection/optional/100% -> main
gir1.2-jcat-1.0 0.1.3-2~ubuntu20.04.1 in focal ppc64el: universe/introspection/optional/100% -> main
gir1.2-jcat-1.0 0.1.3-2~ubuntu20.04.1 in focal riscv64: universe/introspection/optional/100% -> main
gir1.2-jcat-1.0 0.1.3-2~ubuntu20.04.1 in focal s390x: universe/introspection/optional/100% -> main
jcat 0.1.3-2~ubuntu20.04.1 in focal amd64: universe/libs/optional/100% -> main
jcat 0.1.3-2~ubuntu20.04.1 in focal arm64: universe/libs/optional/100% -> main
jcat 0.1.3-2~ubuntu20.04.1 in focal armhf: universe/libs/optional/100% -> main
jcat 0.1.3-2~ubuntu20.04.1 in focal ppc64el: universe/libs/optional/100% -> main
jcat 0.1.3-2~ubuntu20.04.1 in focal riscv64: universe/libs/optional/100% -> main
jcat 0.1.3-2~ubuntu20.04.1 in focal s390x: universe/libs/optional/100% -> main
libjcat-dev 0.1.3-2~ubuntu20.04.1 in focal amd64: universe/libdevel/optional/100% -> main
libjcat-dev 0.1.3-2~ubuntu20.04.1 in focal arm64: universe/libdevel/optional/100% -> main
libjcat-dev 0.1.3-2~ubuntu20.04.1 in focal armhf: universe/libdevel/optional/100% -> main
libjcat-dev 0.1.3-2~ubuntu20.04.1 in focal ppc64el: universe/libdevel/optional/100% -> main
libjcat-dev 0.1.3-2~ubuntu20.04.1 in focal riscv64: universe/libdevel/optional/100% -> main
libjcat-dev 0.1.3-2~ubuntu20.04.1 in focal s390x: universe/libdevel/optional/100% -> main
libjcat-tests 0.1.3-2~ubuntu20.04.1 in focal amd64: universe/libs/optional/100% -> main
libjcat-tests 0.1.3-2~ubuntu20.04.1 in focal arm64: universe/libs/optional/100% -> main
libjcat-tests 0.1.3-2~ubuntu20.04.1 in focal armhf: universe/libs/optional/100% -> main
libjcat-tests 0.1.3-2~ubuntu20.04.1 in focal ppc64el: universe/libs/optional/100% -> main
libjcat-tests 0.1.3-2~ubuntu20.04.1 in focal riscv64: universe/libs/optional/100% -> main
libjcat-tests 0.1.3-2~ubuntu20.04.1 in focal s390x: universe/libs/optional/100% -> main
libjcat1 0.1.3-2~ubuntu20.04.1 in focal amd64: universe/libs/optional/100% -> main
libjcat1 0.1.3-2~ubuntu20.04.1 in focal arm64: universe/libs/optional/100% -> main
libjcat1 0.1.3-2~ubuntu20.04.1 in focal armhf: universe/libs/optional/100% -> main
libjcat1 0.1.3-2~ubuntu20.04.1 in focal ppc64el: universe/libs/optional/100% -> main
libjcat1 0.1.3-2~ubuntu20.04.1 in focal riscv64: universe/libs/optional/100% -> main
libjcat1 0.1.3-2~ubuntu20.04.1 in focal s390x: universe/libs/optional/100% -> main
Override [y|N]? y
31 publications overridden.

verified pass with fwupd 1.5.11-0ubuntu1~20.04.2 per lp:1934209

This bug was fixed in the package libjcat - 0.1.3-2~ubuntu20.04.1

---------------
libjcat (0.1.3-2~ubuntu20.04.1) focal; urgency=medium

  * no change rebuild in focal (LP: #1920724)

libjcat (0.1.3-2) unstable; urgency=medium

  * Remove unused {shlibs:Depends}

libjcat (0.1.3-1) unstable; urgency=medium

  * New upstream version.
    - Fixes CVE-2020-10759

 -- Yuan-Chen Cheng <email address hidden> Mon, 15 Mar 2021 22:34:52 +0800

The verification of the Stable Release Update for libjcat has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.