Hello community, here is the log from the commit of package fwupd for openSUSE:Leap:15.2 checked in at 2020-06-11 16:18:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/fwupd (Old) and /work/SRC/openSUSE:Leap:15.2/.fwupd.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fwupd" Thu Jun 11 16:18:12 2020 rev:24 rq:813165 version:1.2.11 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/fwupd/fwupd.changes 2020-01-30 14:48:35.670844834 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.fwupd.new.3606/fwupd.changes 2020-06-11 16:18:36.114836945 +0200 @@ -1,0 +2,6 @@ +Tue Jun 9 21:14:55 UTC 2020 - Michael Gorse <[email protected]> + +- Add CVE-2020-10759.patch: check for a valid gpg signature + (boo#1172643 CVE-2020-10759). + +------------------------------------------------------------------- New: ---- CVE-2020-10759.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fwupd.spec ++++++ --- /var/tmp/diff_new_pack.vx0lph/_old 2020-06-11 16:18:36.478837887 +0200 +++ /var/tmp/diff_new_pack.vx0lph/_new 2020-06-11 16:18:36.482837898 +0200 @@ -42,6 +42,8 @@ Patch1: fwupd-bsc1130056-change-shim-path.patch # PATCH-FIX-UPSTREAM fwupd-bsc1143905-hash-the-source-files.patch bsc#1143905 Patch2: fwupd-bsc1143905-hash-the-source-files.patch +# PATCh-FIX-UPSTREAm CVE-2020-11759.patch boo#1172643 [email protected] -- check for a gpgme signature. +Patch3: CVE-2020-10759.patch BuildRequires: dejavu-fonts BuildRequires: docbook-utils-minimal ++++++ CVE-2020-10759.patch ++++++ >From 21f2d12fccef63b8aaa99ec53278ce18250b0444 Mon Sep 17 00:00:00 2001 From: Richard Hughes <[email protected]> Date: Thu, 28 May 2020 16:42:18 +0100 Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one signature If a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list. Explicitly check for no signatures present to avoid returning a FuKeyringResult with no timestamp and an empty authority. Many thanks to Justin Steven <[email protected]> for the discovery and coordinated disclosure of this issue. Fixes CVE-2020-10759 --- src/fu-keyring-gpg.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c index f06449cf..15d6e2c3 100644 --- a/src/fu-keyring-gpg.c +++ b/src/fu-keyring-gpg.c @@ -297,6 +297,13 @@ fu_keyring_gpg_verify_data (FuKeyring *keyring, "no result record from libgpgme"); return NULL; } + if (result->signatures == NULL) { + g_set_error_literal (error, + FWUPD_ERROR, + FWUPD_ERROR_INTERNAL, + "no signatures from libgpgme"); + return NULL; + } /* look at each signature */ for (s = result->signatures; s != NULL ; s = s->next ) { -- 2.26.2
