A PGP signature verification bypass has been found in fwupd before 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat enterprise linux 7.0 |
||
redhat enterprise linux 8.0 |