From 92fc9560c43ba461cbfb2a6637e4a803384f5d56 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 28 2020 19:09:31 +0000 Subject: import fwupd-1.4.2-2.el8 --- diff --git a/.fwupd.metadata b/.fwupd.metadata index 26e102d..1150ab3 100644 --- a/.fwupd.metadata +++ b/.fwupd.metadata @@ -1,2 +1,2 @@ -416a671623a26f425c10f01a431046f534c53518 SOURCES/fwupd-1.4.1.tar.xz +c152547682cb354b69e4e1a89b53369dd42f3e53 SOURCES/fwupd-1.4.2.tar.xz 6991b6879b438a4672e97c534d10737bc54e6f39 SOURCES/libjcat-0.1.2.tar.xz diff --git a/.gitignore b/.gitignore index e7d79e1..76f5375 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/fwupd-1.4.1.tar.xz +SOURCES/fwupd-1.4.2.tar.xz SOURCES/libjcat-0.1.2.tar.xz diff --git a/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch b/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch new file mode 100644 index 0000000..0b6517e --- /dev/null +++ b/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch @@ -0,0 +1,114 @@ +From 839b89f45a38b2373bf5836337a33f450aaab72e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Thu, 28 May 2020 10:41:23 +0100 +Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one + signature + +If a detached signature is actually a PGP message, gpgme_op_verify() returns +the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() +builds an empty list. + +Explicitly check for no signatures present to avoid returning a JcatResult with +no timestamp and an empty authority. + +Many thanks to Justin Steven for the discovery and +coordinated disclosure of this issue. Fixes CVE-2020-10759 +--- + libjcat/jcat-gpg-engine.c | 7 +++++ + libjcat/jcat-self-test.c | 55 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+) + +diff --git libjcat/jcat-gpg-engine.c libjcat/jcat-gpg-engine.c +index 0812a62..bd44dba 100644 +--- libjcat/jcat-gpg-engine.c ++++ libjcat/jcat-gpg-engine.c +@@ -267,6 +267,13 @@ jcat_gpg_engine_pubkey_verify (JcatEngine *engine, + "no result record from libgpgme"); + return NULL; + } ++ if (result->signatures == NULL) { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "no signatures from libgpgme"); ++ return NULL; ++ } + + /* look at each signature */ + for (s = result->signatures; s != NULL ; s = s->next ) { +diff --git libjcat/jcat-self-test.c libjcat/jcat-self-test.c +index d79a3a9..fd4295e 100644 +--- libjcat/jcat-self-test.c ++++ libjcat/jcat-self-test.c +@@ -393,6 +393,60 @@ jcat_gpg_engine_func (void) + #endif + } + ++static void ++jcat_gpg_engine_msg_func (void) ++{ ++#ifdef ENABLE_GPG ++ g_autofree gchar *fn = NULL; ++ g_autofree gchar *pki_dir = NULL; ++ g_autoptr(GBytes) data = NULL; ++ g_autoptr(GBytes) data_sig = NULL; ++ g_autoptr(GError) error = NULL; ++ g_autoptr(JcatContext) context = jcat_context_new (); ++ g_autoptr(JcatEngine) engine = NULL; ++ g_autoptr(JcatResult) result = NULL; ++ const gchar *sig = ++ "-----BEGIN PGP MESSAGE-----\n" ++ "owGbwMvMwMEovmZX76/pfOKMp0WSGOLOX3/ikZqTk6+jUJ5flJOiyNXJaMzCwMjB\n" ++ "ICumyCJmt5VRUil28/1+z1cwbaxMID0MXJwCMJG4RxwMLUYXDkUad34I3vrT8+X2\n" ++ "m+ZyHyMWnTiQYaQb/eLJGqbiAJc5Jr4a/PPqHNi7auwzGsKsljebabjtnJRzpDr0\n" ++ "YvwrnmmWLJUnTzjM3MH5Kn+RzqXkywsYdk9yD2OUdLy736CiemFMdcuF02lOZvPU\n" ++ "HaTKl76wW62QH8Lr8yGMQ1Xgc6nC2ZwUhvctky7NOZtc1T477uBTL81p31ZmaIUJ\n" ++ "paS8uWZl8UzX5sFsqQi37G1TbDc8Cm+oU/yRkFj2pLBzw367ncsa4n7EqEWu1yrN\n" ++ "yD39LUeErePdqfKCG+xhL6WkWt5ZJ/6//XnjouXhl5Z4tWspT49MtNp5d3aDQ43c\n" ++ "mnbresn6A7KMZgdOiwIA\n" ++ "=a9ui\n" ++ "-----END PGP MESSAGE-----\n"; ++ ++ /* set up context */ ++ jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var"); ++ pki_dir = g_test_build_filename (G_TEST_DIST, "pki", NULL); ++ jcat_context_add_public_keys (context, pki_dir); ++ ++ /* get engine */ ++ engine = jcat_context_get_engine (context, JCAT_BLOB_KIND_GPG, &error); ++ g_assert_no_error (error); ++ g_assert_nonnull (engine); ++ g_assert_cmpint (jcat_engine_get_kind (engine), ==, JCAT_BLOB_KIND_GPG); ++ g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_SIGNATURE); ++ ++ /* verify with GnuPG, which should fail as the signature is not a ++ * detached signature at all, but gnupg stabs us in the back by returning ++ * success from gpgme_op_verify() with an empty list of signatures */ ++ fn = g_test_build_filename (G_TEST_DIST, "colorhug", "firmware.bin", NULL); ++ data = jcat_get_contents_bytes (fn, &error); ++ g_assert_no_error (error); ++ g_assert_nonnull (data); ++ data_sig = g_bytes_new_static (sig, strlen (sig)); ++ result = jcat_engine_pubkey_verify (engine, data, data_sig, ++ JCAT_VERIFY_FLAG_NONE, &error); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_FAILED); ++ g_assert_null (result); ++#else ++ g_test_skip ("no GnuPG support enabled"); ++#endif ++} ++ + static void + jcat_pkcs7_engine_func (void) + { +@@ -753,6 +807,7 @@ main (int argc, char **argv) + g_test_add_func ("/jcat/engine{sha1}", jcat_sha1_engine_func); + g_test_add_func ("/jcat/engine{sha256}", jcat_sha256_engine_func); + g_test_add_func ("/jcat/engine{gpg}", jcat_gpg_engine_func); ++ g_test_add_func ("/jcat/engine{gpg-msg}", jcat_gpg_engine_msg_func); + g_test_add_func ("/jcat/engine{pkcs7}", jcat_pkcs7_engine_func); + g_test_add_func ("/jcat/engine{pkcs7-self-signed}", jcat_pkcs7_engine_self_signed_func); + g_test_add_func ("/jcat/context{verify-blob}", jcat_context_verify_blob_func); +-- +2.26.2 + diff --git a/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch b/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch new file mode 100644 index 0000000..5760044 --- /dev/null +++ b/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch @@ -0,0 +1,32 @@ +From d7a1eb17bef650f13e7f96430f99294c36a40806 Mon Sep 17 00:00:00 2001 +From: Vincent Huang +Date: Tue, 19 May 2020 13:09:28 +0800 +Subject: [PATCH] synaptics-prometheus: Force the minor version from 0x02 to + 0x01 to make sure the devices can be updated back to 0x01. + +--- + plugins/synaptics-prometheus/fu-synaprom-device.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git plugins/synaptics-prometheus/fu-synaprom-device.c plugins/synaptics-prometheus/fu-synaprom-device.c +index 5a19203c..299ebde2 100644 +--- a/plugins/synaptics-prometheus/fu-synaprom-device.c ++++ b/plugins/synaptics-prometheus/fu-synaprom-device.c +@@ -142,6 +142,14 @@ fu_synaprom_device_set_version (FuSynapromDevice *self, + { + g_autofree gchar *str = NULL; + ++ /* We decide to skip 10.02.xxxxxx firmware, so we force the minor version from 0x02 ++ ** to 0x01 to make the devices with 0x02 minor version firmware allow to be updated ++ ** back to minor version 0x01. */ ++ if (vmajor == 0x0a && vminor == 0x02) { ++ g_debug ("quirking vminor from %02x to 01", vminor); ++ vminor = 0x01; ++ } ++ + /* set display version */ + str = g_strdup_printf ("%02u.%02u.%u", vmajor, vminor, buildnum); + fu_device_set_version (FU_DEVICE (self), str); +-- +2.26.2 + diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index b8667d3..dffaedd 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -5,7 +5,6 @@ %global systemd_version 231 %global json_glib_version 1.1.1 %global __meson_wrap_mode default -%global pesign_name centossecureboot001 %global enable_tests 1 %global enable_dummy 1 @@ -32,16 +31,18 @@ Summary: Firmware update daemon Name: fwupd -Version: 1.4.1 -Release: 1%{?dist} +Version: 1.4.2 +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/fwupd/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz -Source1: centos-ca-secureboot.der -Source2: centossecureboot001.crt +Source1: securebootca.cer +Source2: secureboot.cer Source3: http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz +Patch1: 0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch Patch2: 0001-Do-not-use-the-LVFS.patch +Patch3: 0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -143,6 +144,11 @@ Data files for installed tests. mkdir -p subprojects/libjcat tar xfvs %{SOURCE3} -C subprojects/libjcat --strip-components=1 +# apply patch to subproject +cd subprojects/libjcat +%patch3 -p0 -b .gpgme-parsing +cd - + sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \ contrib/ci/*.py \ contrib/firmware_packager/*.py \ @@ -228,7 +234,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %global efiarch aa64 %endif %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi -%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n %{pesign_name} +%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301 %endif mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg @@ -423,6 +429,15 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd %endif %changelog +* Fri Jun 05 2020 Richard Hughes 1.4.2-2 +- Security fix for CVE-2020-10759 +- Resolves: #1844324 + +* Mon May 18 2020 Richard Hughes 1.4.2-1 +- New upstream release +- Backport a patch to fix the synaptics fingerprint reader update. +- Resolves: #1775277 + * Mon Apr 27 2020 Richard Hughes 1.4.1-1 - New upstream release - Resolves: #1775277