CVE-2020-10759 log
| Source |
|
| Severity | High |
| Remote | Yes |
| Type | Insufficient validation |
| Description | A PGP signature verification bypass has been found in fwupd prior to 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-1186 | fwupd | 0.1.2-1 | 1.4.0-1 | High | Fixed | |
| AVG-1185 | libjcat | 0.1.2-1 | 0.1.3-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 31 Jul 2020 | ASA-202007-6 | AVG-1185 | libjcat | High | insufficient validation |
| References |
|---|
https://github.com/hughsie/libjcat/commit/839b89f |