CVE-2020-10759 log

Severity High
Remote Yes
Type Insufficient validation
A PGP signature verification bypass has been found in fwupd prior to 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list.
Group Package Affected Fixed Severity Status Ticket
AVG-1186 fwupd 0.1.2-1 1.4.0-1 High Fixed
AVG-1185 libjcat 0.1.2-1 0.1.3-1 High Fixed
Date Advisory Group Package Severity Type
31 Jul 2020 ASA-202007-6 AVG-1185 libjcat High insufficient validation