A PGP signature bypass was found in fwupd, which could lead to possible installation of unsigned firmware. As per upstream: * For Red Hat Enterprise Linux 7: LVFS (LVFS (Linux Vendor Firmware Service) is: a secure portal which allows hardware vendors to upload firmware updates. The site is used by all major Linux distributions to provide metadata for clients such as fwupdmgr and GNOME Software.) was never enabled there although the PGP bypass is possible but not implementable. * For Red Hat Enterprise Linux 8: The LVFS is disabled and never used the Amazon CDN. PGP bypass possible, but not implementable. More information available at: https://bugzilla.redhat.com/show_bug.cgi?id=1841462
Acknowledgments: Name: Justin Steven
Created fwupd tracking bugs for this issue: Affects: fedora-all [bug 1844317]
External References: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
Upstream commits: https://github.com/fwupd/fwupd/commit/21f2d12 https://github.com/hughsie/libjcat/commit/839b89f
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4436 https://access.redhat.com/errata/RHSA-2020:4436
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10759