CVE-2020-10759 log

Source
Severity High
Remote Yes
Type Insufficient validation
Description
A PGP signature verification bypass has been found in fwupd prior to 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list.
Group Package Affected Fixed Severity Status Ticket
AVG-1185 libjcat 0.1.2-1 High Vulnerable
AVG-1186 fwupd 0.1.2-1 1.4.0-1 High Fixed
References
https://github.com/hughsie/libjcat/commit/839b89f