ArchLinux: 202007-6: libjcat: insufficient validation

    Date 31 Jul 2020
    93
    Posted By LinuxSecurity Advisories
    The package libjcat before version 0.1.3-1 is vulnerable to insufficient validation.
    Arch Linux Security Advisory ASA-202007-6
    =========================================
    
    Severity: High
    Date    : 2020-07-31
    CVE-ID  : CVE-2020-10759
    Package : libjcat
    Type    : insufficient validation
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1185
    
    Summary
    =======
    
    The package libjcat before version 0.1.3-1 is vulnerable to
    insufficient validation.
    
    Resolution
    ==========
    
    Upgrade to 0.1.3-1.
    
    # pacman -Syu "libjcat>=0.1.3-1"
    
    The problem has been fixed upstream in version 0.1.3.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A PGP signature verification bypass has been found in fwupd prior to
    1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached
    signature is actually a PGP message, gpgme_op_verify() returns the
    rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
    builds an empty list.
    
    Impact
    ======
    
    A local attacker could pass signature validation with a crafted
    message.
    
    References
    ==========
    
    https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
    https://github.com/hughsie/libjcat/commit/839b89f
    https://security.archlinux.org/CVE-2020-10759
    

    LinuxSecurity Poll

    Are you planning to use the 1Password password manager now that it is available to Linux users?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/35-are-you-planning-to-use-the-1password-password-manager-now-that-it-is-available-to-linux-users?task=poll.vote&format=json
    35
    radio
    [{"id":"122","title":"Yes","votes":"1","type":"x","order":"1","pct":25,"resources":[]},{"id":"123","title":"No ","votes":"2","type":"x","order":"2","pct":50,"resources":[]},{"id":"124","title":"Not sure at the moment","votes":"1","type":"x","order":"3","pct":25,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.