Here's the other miscellaneous notes I've made so far: - fu_keyring_setup() doesn't use gpgme_release() on gpg_set_protocol() failure - fu_main_daemon_update_metadata() checks signature over an entire file but uses g_strndup() to copy it in memory; a file may use an embedded ASCII NUL to truncate the duplication early. There's probably no security issue here but it may be surprising. - Hardcoded paths: - /etc/pki/fwupd-metadata - /var/cache/app-info/xmls/fwupd.xml - /tmp/firmware.xml.gz - /tmp/firmware.xml.gz.asc - dfu encryption? - what problem is it solving? what is the threat model? - why xtea? - single-pass md5 is a poor KDF
Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
