Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2020-10759 - log back

CVE-2020-10759 edited at 09 Jun 2020 13:10:34

Severity

-	Unknown
+	High

Remote

-	Unknown
+	Remote

Type

-	Unknown
+	Insufficient validation

Description

+	A PGP signature verification bypass has been found in fwupd prior to 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list.

References

+	https://github.com/hughsie/libjcat/commit/839b89f

Notes

CVE-2020-10759 created at 09 Jun 2020 13:08:25