Bug 2108051

Summary: Problematic blobs in linux-firmware package require password and can't be scanned ( X3fw-pxe.ncf and X3fw.ncf )
Product: Red Hat Enterprise Linux 8 Reporter: Brenden Wood <bwood>
Component: linux-firmwareAssignee: Jarod Wilson <jarod>
Status: CLOSED ERRATA QA Contact: Laura Trivelloni <ltrivell>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: dhoward, rvr
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: linux-firmware-20220726-110.git150864a4.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:52:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brenden Wood 2022-07-18 11:23:30 UTC 
Description of problem:

I’ve run into a linux-firmware package issue that was known and resolved on RHEL 7 but has re-appeared in RHEL 8

The relevant KCS article is here:

Scan tools require password to un-encrypt X3fw-pxe.ncf and/or X3fw.ncf from RHE 7.0 source ISO - Red Hat Customer Portal

The RHEL 7 bug report was:

https://bugzilla.redhat.com/show_bug.cgi?id=1016595

It appears that two problematic firmware files are included in the linux-firmware package that ships with RHEL 8, and is still there as of the latest version linux-firmware-20220210-107.git6342082c.el8.noarch.rpm

/usr/lib/firmware/vxge/X3fw-pxe.ncf
/usr/lib/firmware/vxge/X3fw.ncf

Scan tools require a password to un-encrypt X3fw-pxe.ncf and/or X3fw.ncf.  In many customer environments there are strict policies about not allowing ANY files that do not pass their scan tools. This is a big issue because the linux kernel depends on the linux-firmware package.

If the decision was made to remove these firmware files from RHEL 7, can the same please be done for RHEL 8?

Failing that, we will need to install RHEL without linux-firmware or repackage our own linux-firmware RPM ( both of which may not be supported ).

Version-Release number of selected component (if applicable):
RHEL 8.6
linux-firmware-20220210-107.git6342082c.el8.noarch.rpm

How reproducible:
N/A


Steps to Reproduce:
Try to unzip X3fw-pxe.ncf and X3fw.ncf from the linux-firmware package or /usr/lib/firmware/vxge/ on a RHEL 8 system.

Actual results:
Prompts for password

Expected results:
Should unzip without requiring a password.
Comment 1 Brenden Wood 2022-07-18 11:38:24 UTC 
Corresponding Red Hat Support Case:

https://access.redhat.com/support/cases/#/case/03268879/
Comment 8 errata-xmlrpc 2022-11-08 10:52:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (linux-firmware bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7742